[mandazi]

>At issue is once again an Amazon Web Services S3 cloud storage bucket that was misconfigured and inadvertently left open to the public internet, where anyone with a connection online could have found it.

I use S3 and I have noticed that by default it's locked down and secure and in order for it to be open you have to open it for the public. Maybe AWS could improve the way it can secure the S3 buckets by making it easier to whitelist access by IPs or some variant to this. Although I personally find it fairly straight forward to use in the projects I work on but it appears it may be difficult and my developers just open it up to the public so their apps can easily access it.

[us0r]

> Maybe AWS could improve the way it can secure the S3 buckets

Maybe we can start holding companies accountable?

This isn't someone hacked into their system. This is just being negligent.

[eric_h]

It is just _so_ easy to make the whole thing public vs what it takes for more granular privileges (though I do agree that it's pretty straight forward if you understand how to set bucket policies, etc.). It's really just a couple of clicks in the console - it's a classic usability vs. security problem.

[cm2187]

I have never used it so I don't know how clear is the UI but if we keep seeing people doing the same mistake (leaving an AWS repository open leading to a major data leak) then perhaps there is something wrong about the UI, and how easy AWS makes it to access a private repository.

Also what I don't understand is do AWS storage buckets have directory listing enabled by default? How can a third party guess the URL, unless it is something obvious like /backup.csv.

[mcheshier]

My biggest problem with S3 is the old multi-layered security model with bucket policies and ACLs. They need to update it to just use IAM like everything else.

[kgilpin]

IAM is also super hard to configure.

I would like to see more sense of responsibility from AWS for these leaks rather than blaming the users.

It’s bad usability.

[manigandham]

That's ridiculous. AWS provides infrastructure and tools, it's up to developers and companies to properly deploy them and implement the appropriate security.

[ghaff]

Oh please. AWS can get super-complicated but, especially with the latest console updates, you really have to try to make S3 buckets public. There are good reasons for public buckets; I use them. At this point if you're kicking people, it really is on the developer (or the management of their app dev organization) if they make S3 buckets public "accidentally."

[devonkim]

AWS has Config rules and Macie to help avoid these kinds of data breaches so basically the few excuses left for these now literally come down to variations of laziness or lack of willingness to fund usage of these services (that are really cheap compared to the cost of remediation a data breach disclosure to the public).