Get the most out of your Centmin Mod LEMP stack
Become a Member

Amazon AWS Amazon Web Services users are carelessly leaking tons of sensitive data

Discussion in 'Virtual Private Server (VPS) hosting' started by eva2000, Jun 5, 2017.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    28,976
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,765
    Local Time:
    2:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    Ouch folks using Amazon AWS services might want to double check their setups https://thenextweb.com/security/2017/06/02/amazon-web-services-leak-data-aws/#.tnw_peoAia2w


     
    • Like Like x 1
  2. ArisC

    ArisC Member

    35
    11
    8
    Jun 1, 2017
    Ratings:
    +14
    Local Time:
    7:59 PM
    R.I.P AWS.
     
    • Funny Funny x 1
  3. eva2000

    eva2000 Administrator Staff Member

    28,976
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,765
    Local Time:
    2:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    wow more leaked AWS S3 buckets this time from Dow Jones Dow Jones index – of customers, not prices – leaks from AWS repo

    can be confusing I guess Introduction to Managing Access Permissions to Your Amazon S3 Resources - Amazon Simple Storage Service
     
  4. ArisC

    ArisC Member

    35
    11
    8
    Jun 1, 2017
    Ratings:
    +14
    Local Time:
    7:59 PM
    "Accident" :whistle:
     
  5. eva2000

    eva2000 Administrator Staff Member

    28,976
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,765
    Local Time:
    2:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah scary.. sometimes I do wish Amazon AWS made their configuration for ACL and permissions easier to setup - pretty sure it doesn't need to be as complicated as it is right now.
     
  6. ArisC

    ArisC Member

    35
    11
    8
    Jun 1, 2017
    Ratings:
    +14
    Local Time:
    7:59 PM
    Never worked with AWS. I'm budget guy :) its sad too lol :penguin:
     
  7. Jon Snow

    Jon Snow Member

    97
    18
    8
    Jun 30, 2017
    Ratings:
    +22
    Local Time:
    1:59 PM
    Nginx 1.13.4
    MariaDB 10.1.26
    Does this affect people using AWS with SES?

    I couldn't find any of the settings and I don't use any of the services mentioned in the post.
     
  8. bassie

    bassie Active Member

    494
    104
    43
    Apr 29, 2016
    Ratings:
    +312
    Local Time:
    6:59 PM
    It does affect all external rent a (VPS) server, without physical access as end user and without knowing who does and who doesn't (staff), you never know who can review your data and who can't, both virtual and physical.

    Apart from the fact that after stopping the rental, who knows if your server is formatted (in)correctly. For example Digital-ocean: Transparency Regarding Data Security
     
  9. eva2000

    eva2000 Administrator Staff Member

    28,976
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,765
    Local Time:
    2:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    Not exactly the same breach. Above is allowing other AWS IAM authenticated users access to S3 buckets containing data and info files. AWS SES is just a smtp service so there is no access to at rest stored data like in S3 buckets. But improperly setup AWS IAM credentials could allow IAM user who accesses S3 buckets to also access other AWS services like S3 buckets. It's why I create specific AWS IAM users to only access specific AWS services and drill down to even only accessing a specific AWS S3 bucket name only. That's why you should always use IAM Policy Test Simulator to check your permissions Testing IAM Policies with the IAM Policy Simulator - AWS Identity and Access Management

    Testing IAM Policies with the IAM Policy Simulator - AWS Identity and Access Management
     
    • Informative Informative x 1
  10. eva2000

    eva2000 Administrator Staff Member

    28,976
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,765
    Local Time:
    2:59 AM
    Nginx 1.13.x
    MariaDB 5.5
    looks like AWS is reminding users now
    the S3 bucket for me is a public ACL'd static html website/file bucket so ok.