Attacking & Defending AWS S3 Bucket

Presented at Diana Initiative 2019, Aug. 10, 2019, 1 p.m. (60 minutes).

In the recent past, we have seen various well-known organizations encountered AWS S3 bucket data leak exposing millions of customer records and confidential corporate information. Hackers enumerate and try to find out publicly accessible S3 buckets because it’s like public share with juicy information. In most of the cases, it was seen that excessive permissions and misconfiguration were the main reasons for data exposure. In the run to get the most benefit of cloud, security considerations are avoided or ignored leaving S3 bucket exposed. Though Organizations are working hard to secure data in the cloud more efforts are required to put in place to make sure people, process and technology work hand in hand to protect data in the cloud. In this talk, the audience will learn to enumerate public S3 buckets, gain access to them through open sources tools. Further, they will be demonstrated to exploit READ, WRITE, READ_ACP, WRITE_ACP or FULL permissions on buckets/objects to download sensitive information or upload unintended content. Following, the AWS security tools, services and features will be recommended to secure and restrict S3 buckets. The emphasis is on customer responsibilities, so that they understand importance of their role in securing S3 and circumvent misconfigurations.

Presenters:

  • Sapna Singh - Cyber Security Researcher
    Sapna is a Security Professional with more than 9 years of experience in this cyber security domain. She comes with a background in Information Security where she worked as SME for critical incidents investigations, forensics, vulnerability assessment, penetrations testing and cloud security assessments for various organizations. She has earned her Master’s degree in “Information Security & Cyber law”. Prior to that she completed Masters and Post Graduate Diploma in Computer application. She has given talks at SANS Summit, Kuwait University, for WTM & GDG and WiCSME sessions. Sapna is active member of ‘Women in Cyber Security Middle East’ group working to empower and mentor women in Cyber Security. She is driving the online knowledge sharing sessions to provide platform for women across Middle East countries, where they can express, share their knowledge and learn from each other. She is also co-organizer for Kuwait Cyber Security group.

Links:

Similar Presentations: