Had to be done. Following a number of high-profile data leaks related to improper AWS S3 bucket policies, the cloud giant has begun sending warning emails to users.
More specifically, users that have set public permissions to their cloud implementations.
Users that have their S3 bucket policies set to be publicly accessible are the ones that are getting these emails, which suggest a review of these policies in order to avoid exposure of sensitive data — something that has been in the news these last few couple of months.
This is what Amazon states in the email:
“By default, S3 bucket allow only the account owner to read contents from the bucket; however, these ACLs can be configured to permit world access. While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available.
We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don’t intend.”
The company also points users to the AWS support documents, recommending them to be careful to setting AWS S3 bucket policies to either ‘All Users’ or ‘Any Authenticated AWS User’, as this practically means granting the world access to their content.
Security experts see this as a great sign that Amazon is sending these messages, however, despite what can be labeled as a PSA, the onus nevertheless remains on the users.
No one should have any excuse not to fix these risk AWS S3 bucket policies, considering the sensitivity and scale of the data they house.