According to new data from cloud security startup Ermetic, virtually all organizations have identities that, if hacked, would put at least 90 percent of the S3 buckets in their AWS account in danger of being accessed by hackers.
Emetic investigated the conditions under which ransomware may find its way into Amazon S3 storage buckets. The study’s findings demonstrated that ransomware has a very high potential for spreading in corporate contexts.
Scalability, data availability, security, and performance are all provided by Amazon Simple Storage Service (Amazon S3), an object storage service available on Amazon’s cloud. According to Amazon, customers of all sizes and industries may use it to store and safeguard any quantity of data for various use cases across a wide range of businesses. Data lakes, websites, mobile apps, backup and restore, archiving, business applications, IoT devices, and big data analytics are just a few of the applications that may benefit from this technology.
Amazon S3 provides simple management features that allow subscribers to organize data and configure finely-tuned access controls to meet specific business, organizational, and compliance requirements. Subscribers can collect data and configure finely-tuned access controls to meet specific business, corporate, and compliance requirements. “Amazon S3 is built for 99.9 percent (11 9’s) endurance,” according to the company, and it stores data for millions of applications used by enterprises all around the globe, according to Amazon.
AWS S3 buckets are widely regarded as very dependable, and they are utilized with great trust. Nevertheless, many cloud security stakeholders are unaware that S3 buckets are vulnerable to a significant security risk originating from an unexpected source: identities, according to Lior Zatlavi, senior cloud architect at Ermetic, who wrote in his October report about the company’s white paper report “New Research: The Threat of Ransomware to S3 Buckets.”
As he said in his article, “a hacked identity with a poisonous mix of entitlements might easily conduct ransomware on an organization’s data.”
Specifically, researchers sought identities with permissions that could do something but did not have adequate mitigation or were exposed to a risk factor. Because of these circumstances, attackers could carry out ransomware attacks on at least 90 percent of the S3 buckets in an AWS account.
It was discovered that when AWS mitigation procedures were not used, there was a substantial chance for ransomware infiltration. The following are some of the findings:
Every environment evaluated had at least one AWS account in which identity — and in many cases, many more than one — matched the requirements outlined in the previous section.
The conditions above were satisfied by EC2 instances in more than 70% of situations, with the risk element being public exposure to the internet in the remaining 30%.
Furthermore, the permissions allowed to access the buckets were much too broad. Simply deleting the unneeded rights would have been possible to cut them considerably without compromising company operations.
In almost 45 percent of situations, IAM (identity and access Management) roles were made accessible for third-party usage, with the ability to raise their rights to those of an administrator in some instances.
This discovery is fascinating and horrifying for reasons other than ransomware about cloud security. As a result, the S3 buckets in the environment were compromised, and ransomware was released.
Access keys that had been enabled but not rotated for 90 days were the risk factor in more than 95 percent of situations, with the risk factor being access keys that had been allowed but not rotated.
In over eighty percent of situations, IAM users satisfied the criteria above. The risk factor was access keys that had been enabled but had been inactive for more than 180 days as the danger factor.
Nearly 60% of environments had IAM users that fulfilled the criteria above. The risk factor was console access that was enabled but did not necessitate the usage of multi-factor authentication when logging in.
More than 96 percent of environments had dormant IAM roles, and over 80 percent of settings had inactive IAM users who fit the criteria outlined above in their neighborhoods.
“Smash and grab” operations involving a single, compromised identity are the subject of this investigation. It seems that they depict a dire condition, according to Zatlavi
Third parties are not a source of danger. First-party identities can be phished or exploited, making them potentially dangerous. According to Tiwari, statistics will most likely show that OWASP (Open Web Application Security Project) attacks and phished identities have been highly persistent threats for a long time.
The reports that sow fear, uncertainty, and doubt about cloud IAM are deceptive because they ignore that by providing an open, programmable interface for permissions, the cloud makes it possible for the best security tools to scale across an entire organization. Companies that embrace security automation — and start with what matters, their data — will find that the cloud is far more secure than their crusty on-premises environments,” he suggested.