Security researchers identify insecure Amazon S3 bucketsAmazon S3 customers have found themselves in the news too often recently. The reason for this is the amount of data sitting on the Amazon storage service that is unsecured.

The latest company to find itself called out for bad data security is FedEx who exposed 119,000 customer records. But things are about to change.

According to a report by the BBC a group of security researchers has now started to warn Amazon customers that their data is exposed. The BBC report from Mark Ward claims that they: “..found almost 50 warnings posted to the firm’s servers. Many had more than one warning uploaded to them.”

Ward goes on to say: “The messages urged owners to secure their information before it was stolen by malicious hackers.”

The content of the messages varied. According to Ward: “Some just told the owners that their settings exposed data and others were more explicit in their warnings about what could happen. One said: “Please fix this before a bad guys finds it.””

What does this mean?

The BBC has said that it passed the list of sites it identified on to Amazon so that it could contact its customers. Given the serious nature of data breaches this raises the question: Why has Amazon not done the checking itself? Amazon possesses the skills and knowledge to do the same work as the security researchers and the BBC. However, it appears that it has nobody willing to take responsibility for ensuring customer safety.

What is surprising about this is that the reputation of the Amazon S3 service is beginning to suffer. The service is seen as being insecure although this is a misperception. The issue is more that customers are not configuring the security correctly.

This raises the question of how much easier could Amazon make the security configuration? After all, this is a cloud service. One of the selling points of cloud services is that they are much easier and quicker to configure than traditional solutions. and as such configuration is supposed to be simple.

ET has emailed the AWS-PR account to ask why it is having to rely on third parties to identify insecure S3 implementations. If we receive a reply we will post it here.

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here