Get the most out of your Centmin Mod LEMP stack
Become a Member

Amazon AWS Amazon Web Services users are carelessly leaking tons of sensitive data

Discussion in 'Virtual Private Server (VPS) hosting' started by eva2000, Jun 5, 2017.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    30,195
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    2:12 PM
    Nginx 1.13.x
    MariaDB 5.5
    Ouch folks using Amazon AWS services might want to double check their setups https://thenextweb.com/security/2017/06/02/amazon-web-services-leak-data-aws/#.tnw_peoAia2w

     
    • Like Like x 2
  2. ArisC

    ArisC Member

    39
    13
    8
    Jun 1, 2017
    Ratings:
    +18
    Local Time:
    7:12 AM
    Nginx 1.13.6
    MariaDB 10.1.28
    R.I.P AWS.
     
    • Funny Funny x 2
  3. eva2000

    eva2000 Administrator Staff Member

    30,195
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    2:12 PM
    Nginx 1.13.x
    MariaDB 5.5
    wow more leaked AWS S3 buckets this time from Dow Jones Dow Jones index – of customers, not prices – leaks from AWS repo

    can be confusing I guess Introduction to Managing Access Permissions to Your Amazon S3 Resources - Amazon Simple Storage Service
     
  4. ArisC

    ArisC Member

    39
    13
    8
    Jun 1, 2017
    Ratings:
    +18
    Local Time:
    7:12 AM
    Nginx 1.13.6
    MariaDB 10.1.28
    "Accident" :whistle:
     
  5. eva2000

    eva2000 Administrator Staff Member

    30,195
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    2:12 PM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah scary.. sometimes I do wish Amazon AWS made their configuration for ACL and permissions easier to setup - pretty sure it doesn't need to be as complicated as it is right now.
     
  6. ArisC

    ArisC Member

    39
    13
    8
    Jun 1, 2017
    Ratings:
    +18
    Local Time:
    7:12 AM
    Nginx 1.13.6
    MariaDB 10.1.28
    Never worked with AWS. I'm budget guy :) its sad too lol :penguin:
     
  7. Jon Snow

    Jon Snow Active Member

    161
    25
    28
    Jun 30, 2017
    Ratings:
    +30
    Local Time:
    1:12 AM
    Nginx 1.13.4
    MariaDB 10.1.26
    Does this affect people using AWS with SES?

    I couldn't find any of the settings and I don't use any of the services mentioned in the post.
     
  8. bassie

    bassie Active Member

    535
    116
    43
    Apr 29, 2016
    Ratings:
    +348
    Local Time:
    6:12 AM
    It does affect all external rent a (VPS) server, without physical access as end user and without knowing who does and who doesn't (staff), you never know who can review your data and who can't, both virtual and physical.

    Apart from the fact that after stopping the rental, who knows if your server is formatted (in)correctly. For example Digital-ocean: Transparency Regarding Data Security
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,195
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    2:12 PM
    Nginx 1.13.x
    MariaDB 5.5
    Not exactly the same breach. Above is allowing other AWS IAM authenticated users access to S3 buckets containing data and info files. AWS SES is just a smtp service so there is no access to at rest stored data like in S3 buckets. But improperly setup AWS IAM credentials could allow IAM user who accesses S3 buckets to also access other AWS services like S3 buckets. It's why I create specific AWS IAM users to only access specific AWS services and drill down to even only accessing a specific AWS S3 bucket name only. That's why you should always use IAM Policy Test Simulator to check your permissions Testing IAM Policies with the IAM Policy Simulator - AWS Identity and Access Management

    Testing IAM Policies with the IAM Policy Simulator - AWS Identity and Access Management
     
    • Informative Informative x 1
  10. eva2000

    eva2000 Administrator Staff Member

    30,195
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    2:12 PM
    Nginx 1.13.x
    MariaDB 5.5
    looks like AWS is reminding users now
    the S3 bucket for me is a public ACL'd static html website/file bucket so ok.
     
  11. eva2000

    eva2000 Administrator Staff Member

    30,195
    6,789
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,144
    Local Time:
    2:12 PM
    Nginx 1.13.x
    MariaDB 5.5
    another leaked s3 bucket from Time Warner this time Yet another AWS config fumble: Time Warner Cable exposes 4 million subscriber records
     
    • Funny Funny x 1