Amazon S3 Buckets: How to Secure Your Files from Malware

A graph of AWS logos connecting to malware icons

While S3 buckets are commonly used across multiple industries and enterprises, their usage comes with risk, including malicious files being uploaded to these cloud-hosted repositories.

In this blog post, we will explore the concept of S3 buckets, how they are being used, and some common security issues enterprises face when using S3. We will also highlight the need for enhanced security solutions that prevent malicious files from being uploaded and brings some known breach examples to underscore the risk. Finally, we’ll delve into practical solutions that can help organizations secure their files stored in S3 buckets.

What are S3 Buckets?

Amazon Simple Storage Service (S3) is a leading cloud storage solution that offers scalable data storage via a web service interface. Amazon S3 buckets can be compared to file folders, as they are used by companies to organize their data. S3 is widely used by a broad range of companies across a wide spectrum of industries for storing many different types of data in the cloud. Insurance policyholders share documents with insurance companies, customers share tax and financial documents with banks and financial institutions, patients share medical records with healthcare institutions, and other corporations’ S3 buckets enable employees to upload and collaborate on documents or perform other tasks. In other words, enterprise usage of S3 buckets is expanding exponentially, and it is driven by file sharing between today’s remote workforce and the platform’s ability to host Internet-facing services. 

Common S3 Bucket Security Issues 

While S3’s storage service is a cost-effective and easy-to-use solution, it’s also very easy to overlook S3 security aspects and expose your buckets – and the files within – to malicious attacks. In the aftermath of the global pandemic, a significant number of companies migrated to AWS literally overnight, without dedicated personnel handling their data security strategy, a move that puts their data at risk.

There are multiple ways that S3 bucket data can be breached. One of the most common S3 bucket file security issues occurs when the buckets are unintentionally exposed to the public, either because of human error in placing company data in public buckets, or misconfiguring the buckets’ security settings in the first place.

S3’s bucket policies define which accounts, users, roles, and AWS services can access the files within the bucket and under which conditions. Unfortunately, bucket policies are not intuitive to many users, resulting in these policies being misconfigured and unintentionally exposing company data to unauthorized access.

The Need for Securing S3 Buckets 

Once hackers gain access to the S3 buckets, they can upload malicious files that can cause real damage to an organization. When an individual opens the malicious file – whether an e-form, document, or image — a payload is triggered causing malware and/or ransomware to be deployed across the network.  Research indicates that posting malware within S3 buckets can result in ransomware being distributed through the cloud. Note that while S3 does not support FTP directly, AWS CLI or AWS SDK can be used for file-related uploads.

This can be extremely dangerous because traditional signature-based solutions, such as next-generation antivirus (NGAV) and sandboxing, are unable to detect threats within S3 buckets, enabling these file-borne threats to easily evade detection.

Worse, a study by IBM shows that the average time it takes to detect a breach is 206 days, which means it can take more than six months to actually detect that an environment has been breached, let alone defend against the breach. 

Examples of Malware & Other Breaches Within S3 Buckets 

Several malware attacks were caused by lax S3 file security or misconfigured S3 buckets. Some recent breaches include:

May 2020: Endeavor Business Media, which hosts content for government and private security professionals, admitted that several of their AWS S3 buckets were unsecured and had been infected with malicious credit card skimmer code. The hackers also inserted redirects to mal-advertising campaigns, which involves injecting malicious advertisements into legitimate online advertising networks and webpages with the goal of further spreading the malware.

February 2018: An interactive map of city murders created by the LA Times was hosted in an unsecured S3 bucket that enabled attackers to upload a JavaScript cryptocurrency miner due to the bucket’s public write access. A similar attack occurred to Tesla because an admin neglected to set the S3 bucket password.

March 2021: Premier Diagnostics admitted that over 50,000 patient records had been breached. The records had been inadvertently stored on two publicly accessible AWS S3 buckets that did not require a password or authentication. Exposed data included medical insurance information, patient data, and other highly sensitive information.

November 2020: Prestige Software, a supplier of software services to the online travel industry, exposed approximately ten million records due to a misconfigured S3 bucket. Exposed data included credit card details, including CVV codes and personally identifiable information (PII) such as names, email addresses, and phone numbers.

Other past high-profile S3 breaches were experienced by FedExVerizonViacom, Dow Jones, and WWE

How to Secure File Uploads to S3 Buckets 

Securing the files in your Amazon S3 bucket involves a multi-pronged approach. Enterprises must restrict access to S3 buckets via Bucket Policies or by limiting Identity and Access Management (IAM) user permissions, allowing users only the minimum access and resources required to administer buckets or read/write data. This minimizes the risk of human-related errors, a top driver for data leakage.

Enterprises should also monitor any attempts for malicious activity by using access logging, which captures all requests made to a bucket. It is also good practice to secure the data using S3 encryption – either from the server-side or client-side.

Companies should consider the benefits of adding a content disarm and reconstruction solution to the file upload process. Content disarm and reconstruction proactively removes malicious code, even unknown malware, from files, prior to the files entering S3 buckets. With this approach, only clean, safe, business-ready files are uploaded, which reduces risk.

How Votiro Keeps Files in S3 Buckets Safe

Organizations must be able to expand their cloud ecosystem without fear of opening themselves up to increased cyberattacks. Instead of scanning for suspicious elements and blocking some malicious files, Votiro’s cloud-based CDR, backed by Positive Selection® technology rebuilds each and every document, copying only the known-good, positively selected content and ensuring only the safe elements remain. This means all external documents are sanitized before they penetrate the internal environment, preventing content threats such as ransomware and targeted attacks. 

Votiro is different as it can protect the widest breadth of file types, from .ppt, docs, pdfs, and image files, to more complex file formats. Enterprises are secure in the knowledge that all of their files housed within containers — such as Amazon S3 buckets — have been regenerated by Votiro into a safe format that is able to be saved, edited, shared, and recompressed without risk. Ultimately, Votiro’s technology preserves the integrity and functionality of the original file while eliminating all of the malicious elements. 

If you’d like to learn more about how our proprietary technology can secure your Amazon S3 files, please schedule a demo today or visit our AWS Marketplace listing.

background image

News you can use

Stay up-to-date on the latest industry news and get all the insights you need to navigate the cybersecurity world like a pro. It's as easy as using that form to the right. No catch. Just click, fill, subscribe, and sit back as the information comes to you.

Subscribe to our newsletter for real-time insights about the cybersecurity industry.