Threat Intelligence

Are You Protecting Your Amazon S3 Data from Being Locked by Attackers?

Key Insights

Key Insight: Attackers can misuse valid AWS login details to lock or encrypt your files stored in S3 cloud storage, making them inaccessible. By following some security best practices, you can significantly reduce the risk of unauthorized encryption and better protect your data.

Who should read this?

  • Anyone storing files on Amazon S3 – Anyone who uses AWS S3 for storing sensitive or critical data, including developers and IT administrators.
  • Organizations – Businesses using AWS S3 for storage, especially those dealing with high-value or sensitive data, should understand these security risks and take necessary precautions.

What’s the problem?

Attackers can steal your login details and use them to lock your files in Amazon S3, a cloud storage service. When they do this, your files get encrypted (locked), and you can’t open them unless you have the decryption key. This is dangerous because it could lead to data loss or even a ransom demand where you’re forced to pay to get your files back.

How does it happen?

  • Attackers steal your login info – Attackers find a way to get your login details (just like stealing a password), allowing them to access your Amazon S3 account.
  • They lock your files – Using the stolen login details, attackers can “encrypt” your files, which means they lock them with a new password (or encryption key). Only the attackers know this new password.
  • You can’t access your files-Without the new encryption key, you won’t be able to open or use your files. This could cause serious problems, especially if your files are important for your business or personal use.

Why does this happen?

  1. Credentials give access to files– When attackers have your stolen credentials or login info, they can easily access your files. This means they could steal your sensitive data, lock you out, or encrypt files for ransom.
  2. Weak credentials (Long-term keys) – If you use long-term credentials (login information that never expires), they are more likely to be stolen by attackers. When these keys are exposed, attackers can use them anytime to access your data.
  3. Lack of monitoring – If you don’t keep track of who’s accessing your data, you might not notice when someone is trying to lock or change it. Without proper monitoring, attackers can make changes without you realizing.

What’s the impact?

  • Locked files: If your data is locked, you may be unable to access critical information, which can stop your business from running smoothly.
  • Financial costs: You might have to pay a ransom to get your files back or spend money trying to recover your data.
  • Reputational damage: If customers or clients hear about your data being locked, they might not trust you with their information again.
  • Legal issues: If your data contains personal or sensitive information, failing to protect it properly can lead to legal trouble.

How to stay safe?

For individual users

  1. Don’t use long-term login keys: Avoid using permanent login credentials. Instead, use short-term keys that expire after a certain time. This way, if attackers steal them, they can’t use them for long.
  2. Turn on S3 versioning: S3 Versioning allows you to keep multiple copies of your files. If someone locks or deletes a file, you can easily restore a previous version.
  3. Use extra security (Multi-Factor Authentication): Enable Multi-Factor Authentication (MFA). This means even if attackers steal your login details, they still can’t access your files without a second password, like a code sent to your phone.
  4. Monitor who accesses your files:Keep track of who’s accessing your data. Use tools like AWS CloudTrail to watch for any strange activity, such as unusual attempts to change or lock your files.

For organizations

  1. Use temporary login information: Stop using permanent login details (access keys) that don’t expire. Instead, use temporary login keys that automatically expire after a set time. These temporary keys are safer because even if a hacker steals them, they can only use them for a short time before they stop working.
  2. Watch for unusual activity: Set up tracking (called logging) to monitor all actions on your S3 data. This allows you to see when anything unusual happens, like large amounts of data being copied or accessed. You can also set up alerts to notify you immediately if something suspicious occurs, helping you quickly respond to potential threats.
  3. Control who can do what: Set rules to block certain types of encryptions, like AWS’s default SSE-C encryption (Server-Side Encryption), unless a specific service that needs it to work. This prevents unauthorized encryption that could lock your data.
  4. Have a backup plan: Make sure you back up your important files in different places (e.g., another S3 bucket or AWS account). You can also set up automatic rules to manage older versions of your files, such as deleting or archiving them, which helps save storage space and reduce costs.

References

  1. Attackers are encrypting AWS S3 data without using ransomware – Help Net Security
  2. Amazon Details Measures to Counter S3 Encryption Hacks
  3. Preventing unintended encryption of Amazon S3 objects | AWS Security Blog

Resources

Tips for securing Amazon S3 cloud  storage

Free infographic

Tips for securing Amazon S3 cloud storage

Download this infographic for practical tips on securing your Amazon S3 cloud storage.

Author