Major Cloud Misconfigurations - Publicly Accessible Storage Buckets

- -

Cloud computing is now ubiquitous, with approximately 94% of all businesses globally relying on cloud software in some form. In part, cloud computing’s mass adoption is the result of the way the technology has allayed many security fears. In the early days of the technology, security was often cited as one of the main reasons why organizations were reluctant to join the cloud computing movement. Today, however, you are more likely to hear businesses cite integration concerns and managing cloud waste as pressing issues. In fact, 94% of businesses have actually noted an improvement in their security after moving to the cloud.

However, just because some cloud security fears seem to have faded away, this doesn’t mean that there is no need to have any concerns surrounding the technology. One of the biggest factors that continue to lead to cloud security issues is misconfigurations, cited by 67% of CISOs as their top cloud concern.

Although security professionals recognize the danger posed by cloud misconfigurations, it is essential that they drill down in greater detail regarding the risks they face. Cloud misconfigurations come in many forms. Below, we explore one of the most common, publicly accessible storage buckets, its potential impact, and the effective strategies you can employ to mitigate the problem.

The problem of publicly accessible storage buckets

The accessibility of cloud storage is one of its major advantages. Businesses can utilize cloud storage to facilitate greater collaboration between their employees, allowing them to download and share files between business units, companies, and even across international borders.

In an era of hybrid work, the ease of access provided by the cloud has become even more important. Higher levels of productivity, job satisfaction, and retention have all been recorded as a result of hybrid working - and this owes a lot to the cloud. But cloud storage can also come with a dark side.

If cloud storage buckets aren’t configured with strong access controls and malware signature scanning, malicious actors may be able to gain unauthorized access or upload malware. Of course, sometimes cloud storage is supposed to be publicly accessible. A company may want to create a web application using various files that are readable to everyone on the public internet.

On other occasions, however, businesses may use the cloud to store sensitive information, whether it relates to employees, partners, or customers. If this is the case, but the cloud storage they are using has been misconfigured to allow storage buckets to be publicly accessed, data can fall into the wrong hands.

There have been various instances of publicly accessible storage buckets leading to reputational or financial damage for businesses. For example, this was the case last year when a Microsoft Azure misconfiguration meant a 38TB storage bucket containing private data was accessible to anyone possessing the right link.

Cloud storage buckets, including those used with popular cloud storage platforms like Amazon Web Services (AWS), are often incorrectly set to be publicly accessible. A 2023 Cloud Security Alliance study found that 21% of publicly exposed S3 buckets contained sensitive data and were accessible due to misconfigured access control lists, incorrect bucket policies, or improper use of the S3 Block Public Access feature.

Whatever the cause, improperly setting cloud storage to be publicly accessible can have hugely damaging consequences for organizations. Sensitive data, including everything from customer addresses to payment details, can easily result in distrust or fines, regardless of whether the information is accidentally exposed or deliberately targeted by cyber attackers.


Mitigating the impact of misconfigured storage settings

The worry for businesses is not just that their cloud storage buckets are easily accessed, but that gaining that access is straightforward. A simple web search is all it may take for malicious actors to infiltrate all your files, resulting in a potentially serious data breach, exposing sensitive information, and subjecting your business to crippling compliance violations.

Just looking at AWS S3 buckets, Amazon lets organizations set entire buckets to be accessible from the internet or set access controls for specific files even if the rest of the bucket is not public. Regardless of whether entire buckets are accessible or more restrictive access controls are simply misconfigured, if businesses do not have clarity over which of their files can open to the public and which are not, breaches and leaks can easily occur.

Fortunately, there are ways for businesses to guard against cloud misconfigurations that lead to entire storage buckets, or certain files within them, being set as publicly accessible. Among the recommended mitigation efforts organizations can take, it’s a good idea to regularly audit cloud storage permissions so they have a clear overview of who can access your files. With AWS, for instance, Amazon S3 labels make accessibility settings clear, with buckets set as either public, objects can be public, buckets and objects not public, or only for authorized users of this account.

It’s then possible to change access settings for all the S3 buckets within your AWS account, a single bucket, or individual files. There is often a lot of access control available to cloud storage users but, of course, they need to have visibility into what their current accessibility settings are first to ensure vulnerabilities don’t lie undetected.

Another useful mitigation strategy is using automation tools to monitor and adjust access settings. This is especially effective when organizations have a large number of files contained within cloud storage buckets. Some of these may be of a sensitive nature, but some of them may not be. This is where automation can greatly reduce the manual burden on cloud security teams that may otherwise be tasked with checking access controls for each file.

Finally, although cloud misconfigurations may seem like a technical failure, in reality, they are often the result of human error. In fact, human error is cited as the leading cause of cloud security breaches by 55% of businesses. It’s for this reason that educating staff on the importance of secure configuration practices is a hugely effective approach that businesses can take to prevent storage buckets from being mistakenly categorized.

Secure and compliant cloud storage

Cloud storage has delivered benefits for organizations, whether in terms of flexibility, scalability, affordability, and more. Don’t let security challenges stemming from misconfiguration prevent you from accessing these advantages.

In order to ensure your storage buckets are only publicly accessible when you want them to be, a mixture of innovative technical safeguards and the right security training is needed. By enlisting Hadrian’s expert solutions, you can guarantee the former is employed alongside all your cloud storage deployments.

Our platform will continuously monitor your cloud storage configurations to identify and remediate publicly accessible buckets. Without increasing the manual burden on your IT team, your business can adjust its access permissions and apply security best practices so that storage buckets are only accessible to authorized users. Guarantee cloud access on your terms with Hadrian.

If you want to find out more about some of the most common cloud security failings seen within companies, from publicly accessible storage buckets to insufficient network segmentation, be sure to check out our new eBook, Top 10 Cloud Misconfiguration and How To Resolve Them.

{{related-article}}

Stop Focusing on the Noise: Prioritize the Risks That Truly Matter

{{quote-1}}

,

{{quote-2}}

,

Related articles.

All resources

Threat Trends

The Risk of Misconfigured Access Control Policies in Cloud Configuration

The Risk of Misconfigured Access Control Policies in Cloud Configuration

Threat Trends

cURL and libcurl CVEs Unwrapped: Debunking the Hype

cURL and libcurl CVEs Unwrapped: Debunking the Hype

Threat Trends

IDOR Explained: Everything you need to know

IDOR Explained: Everything you need to know

Start your journey today

Experience faster, simpler, and easier automated penetration testing in a quick 20-minute demo.

Book a demo