Virtualization Technology News and Information
Lightspin Research Team Discovers Cross-Account Attack Path Leveraging Dangerous S3 Bucket Permissions on AWS
Lightspin announced the discovery of a new method of cross-account attack, leveraging AWS S3 buckets. If leveraged, this attack can cause a real and measurable impact to a business' bottom line, by opening up certain AWS buckets to unauthorized writes from any AWS account.

Lightspin found this potential misconfiguration as part of its ongoing research into AWS S3 buckets, while researching examples of S3 buckets using the standard AWS bucket permissions. Misconfigured S3 buckets have caused many high-profile attacks, including Booz Allen Hamilton that exposed 60,000 files related to the Dept of Defense and Verizon's recent exposure of more than 6 million customer accounts. 

After inspecting 40,000 Amazon S3 buckets, Lightspin found that, on average, the "objects can be public" permission applies to 42% of an organization's objects on AWS overall. During the research, Lightspin discovered that it's possible for hackers using AWS Cloudtrail and Config to write to buckets held by other accounts even if those buckets aren't public. This is due to the fact that even private buckets can have policies that allow access from any AWS account.  Cross-Account attacks on AWS services are difficult to detect and thus can remain undetected for a long time.

"AWS doesn't provide the ability to drill down from a bucket to see the status of all the objects it contains," said Vladi Sandler, CEO of Lightspin. "In order to be sure that objects are "safe", its necessary to go through each object's ACL to check if it is open to the public. We recognize that organizations need better context, so we have developed an open-source scanner that provides exactly this - the visibility and the context to know exactly what objects are publicly accessible, at a glance."

While Lightspin only checked Cloudtrail and Config, other AWS Services that use S3 buckets to store their data by default may also be at risk from this misconfiguration attack path, and in those cases, may even provide read permissions. 

For access to the Lightspin research findings, click here. To download the open source scanner to see which objects are publicly accessible click here.
Published Friday, June 04, 2021 7:40 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2021>