There have been some recent data breaches due to mis-configuration of Amazon S3 buckets. But it’s not the fault of Amazon. They provided a tool, and the defaults are generally secure. However like any tool, it can be mis-used. Perhaps by making a bucket public while forgetting that it has person or otherwise sensitive information on it. Oops.
One of the latest is the Verizon partner data breach, which released 6 million customer records. A voter database from the GOP stored in Amazon S3 had data from nearly 200 voters. A big question is how many other open S3 buckets are there which critical data are still out there?
Amazon has decided to take a pro-active stance on this, and they have the best data to do that. They are sending AWS account holders a list of all their S3 buckets that have public access. The AWS account holders should review the list and insure that public access was intended.
This is an excellent move by Amazon. Hopefully this will help a lot of AWS account holders to secure their buckets, especially if they have sensitive data.
If you get such an email, make sure the proper people get it and check all the S3 buckets listed. Make sure they next public data breach isn’t yours!