Cloud storage solutions like AWS S3 have become indispensable for businesses, offering scalable and reliable data management. However, like many innovative technologies, it introduces significant risk, particularly concerning data exfiltration. Data exfiltration, the unauthorized transfer of data from a system, poses a critical threat to organizations relying on S3 for their data storage needs. Misconfigured permissions, unsecured public buckets, and shared credentials (purposeful or via phishing attacks) can expose sensitive information to malicious actors. In this blog, we will explore the top data exfiltration risks associated with AWS S3 along with some of the capabilities that AuthMind can help enterprises protect their sensitive data.
AWS’s S3 tagline is “Object storage built to retrieve any amount of data from anywhere”. This very flexibility and scale also carries risks that are easily exploited by threat actors and malicious insiders to exfiltrate data. Amazon has published a top 10 best practices for securing S3 storage to help guide users to protect their data, and while thorough, it leaves a lot of opportunity for mistakes and blindspots as evident by the frequency of data breaches due to exposed or misconfigured storage. A few examples include:
To better comprehend the types of exposures, risks, and resulting breaches, it is useful to categorize the exposures into two main groups:
Misconfigured Public Buckets. Threat actors actively scan AWS for exposed buckets using commonly available toolkits. Following AWS’s recommended best practices to prevent these accidental misconfigurations, and actively monitoring for unexpected or new exposed public buckets, are a must for any enterprise.
Unauthorized Access to Private Buckets. These buckets are being accessed due to stolen user credentials, access key+secrets or purposely being shared by an authorized user looking to bypass data loss controls. Unlike accessing public buckets, these can be much harder to detect as differentiating between an authorized, trusted access and an unauthorized access can be very subtle. When sharing out buckets, the most common methods of enabling trusted access are either via granting access to an AWS user or granting programmatic access via an Access Key & Secret.
Image: Selecting AWS Access Type
Based on these authentication methods, a few examples of how an exfiltration incident can occur:
The last method is unique and one of the most challenging to detect. To grasp this better, it's crucial to understand the difference between an AWS Access Key ID and an Access Token. Initially, access may be authorized using an Access Key ID and Secret. Upon successful authorization, the access is granted with an access token (also known as temporary credentials or API keys) to access multiple services or APIs. These access tokens are typically issued with a short duration expiration (usually not more than a few hours) to be used in lieu of credentials or an assertion to enable rapid access to services like S3 buckets until they expire. Because access tokens are intended to be used at high speed and high frequency, they are usually not secured by strong cryptography (like certificates or signing) which introduces a new risk: these access tokens can be shared with other internal or external identities to allow access to sensitive resources in unintended ways. The fact that no changes are made to the S3 configuration makes it difficult to detect by conventional techniques. Simply copying and sharing the access tokens via a text message or a phone camera capture to a 3rd party can be enough to provide access to a S3 resource for a few minutes or hours – and more than enough to exfiltrate data.
AuthMind’s extensive integration with AWS enables it to analyze AWS VPC Flows, S3 audit logs (via AWS CloudTrail) and AWS Managed AD. With these inputs, enterprises gain expanded visibility across their AWS environment, enabling them to monitor who is accessing resources, when, and from where to both their AWS assets and resources like S3 storage buckets.
Detecting unauthorized access to S3 storage buckets or objects is enabled through comprehensive monitoring capabilities that cover the variety of attack methods. AuthMind’s unique and comprehensive approach to identity observability combined with advanced analytics can identify and alert on various exposures and suspicious activities involving S3 storage buckets or objects including:
The combination of these methods enables an enterprise to detect a wide variety of threats and risks that could target their most sensitive data stored in AWS S3 storage.
The integration of AuthMind with AWS resources like VPC flows, S3 storage accesses, and AWS Microsoft AD is agentless, eliminating the need for additional hardware or complex configurations. The setup is straightforward and easy to complete in less than 10 minutes.
To take advantage of this new capability, please contact your AuthMind solution architect to set up the integration. Our team is ready to assist you in deploying this powerful tool to enhance your security posture within the AWS ecosystem.