AWS to Users: Protect Your S3 Storage Buckets Amazon Web Services Inc. (AWS), has issued a warning to customers to protect their S3 storage buckets following several reports of confidential data being exposed to wide-open data stores. S3 buckets without tight access controls have been repeatedly warned about by security firms. At least one, UpGuard Inc., has set up a team to search for such troves and make public each discovery, explaining what data was available and what attackers could do to it. According to recent reports, AWS is now providing more guidance via email, despite having published much security best practice guidance on its website to explain proper configuration. Reddit user posted the purported contents. It reads: Hello. We’re writing to remind everyone that Amazon S3 bucket access control list (ACL) is currently configured to allow any user to read the Amazon S3 bucket. Below is a list of buckets that have this configuration. By default, S3 bucket access control lists (ACLs) allow only the account owner to list or delete objects. However, these ACLs may be set up to allow public read access. There are many reasons to make buckets public-read accessible, such as public websites or publicly downloadable content. However, there have been recent disclosures by third parties of S3 account contents that were accidentally made public. Bucket ACLs can be reviewed in the AWS Management Console ( ), or using the AWS CLI tools. ACLs permitting “All Users” grant public read access to the related content.For more information on configuring your bucket ACLs, please visit: additional assistance reviewing your bucket ACLs, please visit to create a case with AWS Developer Support.Your list of buckets configured to allow read access from anyone on the Internet are:[redacted]Several readers confirmed the content of the AWS e-mails (as did at least one user on Twitter), and one responded with: “They’ve been presumably sending these out because S3 has been in the news basically every week at the moment regarding people storing databases or database backups containing sensitive data in public buckets with little/no security attached. It’s a good reminder, as this is happening all of the time right now. However, I’m not sure how efficient it will be because a lot smaller organizations that use AWS still haven’t mastered ACLs or bucket policies. CRN spokesperson responded to questions about the e mails. “With recent public disclosures made by third parties about Amazon S3 bucket contents that customers accidentally configured to allow public access to, we wanted to help customers make sure they don’t have bucket access they don’t want.” Here are some recent examples:

  • Last week, UpGuard reported on the discovery of a misconfigured S3 box that allowed for access to data concerning millions of Dow Jones & Company customers. (see “Yet Another Misconfigured Amazon S3 Box Exposes Dow Jones Customer Data”)

  • UpGuard reported earlier this month that it had discovered account data, including account PINs, concerning Verizon customers (see “Another Widely Open Amazon S3 Bucket Exposed Verizon Customer Account Data”)
  • UpGuard reported in June that another S3 configuration had been discovered by a company working for Republican National Committee (RNC). (see “AWS S3 Missconfiguration Leaks Personal Information of Nearly 200 M Voters.”)
  • Appthority was recently discovered nearly