A Tale of Blunders with AWS Storage

Why Managed Security is Critical

Another AWS S3 security leak was reported and as a result, the private medical records of 150,000 Americans were significantly exposed. This is just the latest in a string of incidents and it makes us wonder, what good would a storage unit serve if the doors were constantly being left unlocked? That is essentially what is going on in all of these data exposures. To be clear, nobody had to break in because the doors were left wide open. The list of affected organizations is great – with large companies on the list – and growing.

This partial list only represents a mere taste of widely reported incidents that emerges on a seemingly monthly basis, and there certainly are a number of untold incidents that we may never hear about.

This is All a Misunderstanding

The crux of the problem is that there is a lot of misunderstanding surrounding AWS, its elements, and the public cloud. AWS is a tool.  A complicated tool, albeit, that requires training, attention, discipline, and process.

AWS delivers cloud storage under the moniker Simple Storage Service (S3), in constructs known as buckets. In most of these public leak cases, at some point during the configuration of apps and storage, it was an operator-initiated configuration error resulted in exposed data repositories. This is not a exactly an AWS issue.   Exposed buckets have the misappropriated permission settings set to “allow any AWS ‘Authenticated Users’ to download the data via the repository’s URL.” While that sounds secure, it’s not. In this case, the term “Authenticated User” means any user that has opened a free Amazon AWS account—millions of these users exist.

Out of the box, AWS defaults to a secure bucket configuration within S3, however, the slip happens when the user that is configuring the services wishes to share data with users outside of AWS. While AWS does provide documentation on how to do this securely, it is far too easy and too tempting to essentially make the entire bucket public.

This is a surprisingly simple error to commit, and by all measures, it is quite common. It is not the only human-level threat to services out there because Amazon itself isn’t immune from committing their own blunders. For example, back in February of 2017, an employee in the process of troubleshooting billing systems launched a command intended to bring down a limited number of servers within the S3 system, that command was incorrect and broader in impact than initially thought, and it brought down a significant portion of the cloud giant’s customer base for hours.

The (Complex) Value of AWS

Navigating the sea of AWS complexities is not exactly simple. A bevy of features, capabilities, and even documentation can change at any time. Additionally, the list of additional features and data options within AWS continues to expand over time.

What this means is that utilizing the company’s services for mission-critical systems requires in-depth, platform-specific knowledge and experience that is hard to come by. For proof, note that AWS provides eight information technology industry career certifications for professionals to endeavor in. Add up the facts and you can see that while there are tremendous advantages to using a public cloud, there are substantial costs and risks involved as well.

Your Best Option

For many, the best alternative to this mix of threats and risks is to engage with a managed cloud provider. An experienced provider has the long-term experience and personnel that allows business to leverage the public cloud while minimizing risks. That same provider will likely have experience working with a number of business types, with a variety of security and compliance needs so that customers can be assured that not only is expertise available, but best practices will be closely followed. An unmanaged cloud can be a company’s worst mistake. Costs, security, and value can easily be lost without the managed element in place.

With managed cloud services, there is no need to take on the unknowns of Amazon’s AWS cloud. From around-the-clock monitoring to proper configuration, to implementing an essential components towards a goal, a partner that is made in the cloud is the best possible partner for business needs. Leveraging a managed service provider like Hostway can help prevent these issues with a fully compliant and secure configuration that can deliver your business value to your customers without fear of making the wrong headlines.  Experience the Hostway Difference and request a free security consultation.