Another Bucket Bites the Dust... But S3 Shouldn’t Be Your Soft Spot

With the recent announcement of AWS’s enhanced security capabilities for their S3 service, I expect that newsworthy data breaches resulting from misconfigured S3 buckets will be on the decline – a good thing for us all.  But the recent Alteryx data leak is bubbling up a more fundamental problem that we all need to be thinking about.

Continually evolving cloud services are in the hands of more and more employees

The speed at which cloud services are enhanced by cloud service providers like AWS, Microsoft and Google, combined with the democratization of infrastructure deployment is a statisticians playground.   

Cloud service providers are investing in making these deployments safer through more intuitive policy management capabilities, but there is still a lot of gray area for exposures to lurk – Alteryx being one of many examples where the gray area made it to the newswire.  

Our hypothesis? 

The combo pack described above can’t be solved easily using the tools cloud service providers provide today, resulting in a continuing drum beat of data loss stories to come. 

So, what to do?

While cloud configuration policies are still being developed – get some low overhead visibility

Many teams I speak with are still in the process of developing and rolling out internal policies for the who and how, as well as the configuration requirements of IaaS services and resources.   My guess is Alteryx is in that process as well.   My guess is also that Alteryx – along with their esteemed peers who have also found themselves on the front page – didn’t have enough visibility (or at least usable visibility) into all of the AWS resources in use and their associated vulnerabilities.  And they clearly didn’t know the S3 bucket in question was exposed.

What if they had information and visibility like this?

…that all teams responsible for securing their clouds could see, use, and manage to…across all regions, all accounts & VPC’s

…that simply shows you where your specific risks exist…

…which would have told Alteryx that they had improperly configured their S3 ACL’s

…for only $49 per account per month?  

Once your policies are stable – continually identify new services in use and new exposures

As we’ve all experienced, solid and well-executed policies are only one leg of the stool.   Even with strong policy configuration requirements being perfectly executed across all teams, you have to keep evolving. 

Enhancements to ubiquitous resources like S3 and newly launched cloud services are continually afoot…creating new exposure possibilities that weren’t considered in even the finest grain config management requirements.  You have to keep up the visibility.

What if you could continually see newly spun up services, assets and their risks?

Cloud Insight Essentials
  • Auto-discovery of new assets, their configuration state
  • Continually run, without impacting your resource performance or AWS fee’s…

…for $49 a month per account.

Seems like a simple equation to me.  Check out how Alert Logic’s Cloud Insight Essentials can help you avoid leaky S3 buckets, and other exposures from easy to mess up service configurations.

About the Author

Allison Armstrong - Vice President, Product and Technical Marketing

Allison Armstrong

Allison Armstrong has worked in the Cloud and Data Security, IAM, BPM, ITOM and ITFM markets for over 20 years, working with global customers across every vertical from small office through to multi-national corporates, Fed and SLED organizations. In her role as an expert product and market strategist for Alert Logic solutions, she is responsible for developing and implementing the Technical, Product, and GTM strategies for the global business.

More Posts by Allison Armstrong