Lightspin: 46% of AWS S3 buckets could be misconfigured and unsafe

Cloud misconfigurations expose organizations to significant risk, according to a new analysis of Amazon Web Services (AWS) Simple Storage Service (S3) buckets conducted by Lightspin, a cloud security provider. In-depth research into 40,000 AWS buckets and their cloud storage permissions found that 46% of AWS S3 buckets could be misconfigured and should therefore be considered unsafe, Lightspin said.

Above: A diagram that explains how AWS evaluates access and assigns definitions to objects within S3 buckets.

Image Credit: Lightspin

Misconfigured S3 buckets can open your cloud environment up to a huge amount of risk. Public read access could lead to a data breach, while public write access can launch malware or encrypt data to hold your company ransom.

Certain AWS cloud storage permissions are currently complex and even obtuse, as one of the AWS access options is defined as “Objects can be public.” As AWS evaluates the access permissions of all files at the bucket level, rather than the object level, an object’s ACL is not considered. In short, the definition “Objects can be public” doesn’t allow organizations to definitively understand whether their objects are accessible or not. The diagram above can help to visualize which objects would be given this classification.

Lightspin’s research revealed that more than 40% of AWS S3 buckets have this definition attached, on top of the 4% that are defined as public. As part of this research, the company created a free, open source Python tool that scans the cloud environment in full and clarfies which objects are public and which are not.

Read Lightspin’s full research into the risks of misconfigured S3 buckets.