Cloud security firm Ermetic found that nearly all businesses have identities that put most of their S3 buckets at risk if compromised.
The researchers found that based on a “toxic combination of overprivileged identities and poorly configured environments,” 90% of the S3 buckets in all AWS accounts they tested were vulnerable to ransomware attacks.
The sobering report concluded that it was not a matter of “if” but “when” a massive ransomware attack on the AWS cloud platform would occur.
Toxic combinations on AWS accounts expose most S3 buckets to ransomware attacks
Ermetic study found that nearly half (45%) of all AWS accounts had third-party identities with the ability to perform ransomware attacks by elevating their privileges to admin level.
Additionally, they found that more than 70% of the environments had machines with vulnerable identities publicly exposed to the Internet.
According to the researchers, IAM users exposed to the above threats had unrotated access keys for at least 90 days in 95% of environments.
The researchers also reported that more than three-quarters (80%) of environments had IAM users with enabled access keys inactive for at least 180 days. Additionally, those access keys had permissions that could allow them to execute ransomware attacks.
In addition, six out of ten (60%) of the environments tested had IAM users with console access without multi-factor authentication (MFA).
According to the report, 96% of environments with inactive user roles and 80% of environments with inactive IAM users were vulnerable to the above risk factors.
The researchers also noted that their study only analyzed the “smash and grab” scenarios featuring a single compromised identity. However, targeted campaigns usually compromise multiple identities and leverage their combined permissions, thus compounding the risk factors for a successful ransomware attack.
“Very few companies are aware that data stored in cloud infrastructures like AWS is at risk from ransomware attacks, so we conducted this research to investigate how often the right conditions exist for Amazon S3 buckets to be compromised,” Ermetic CEO Shai Morag said. “We found that in every single account we tested, nearly all of an organization’s S3 buckets were vulnerable to ransomware. Therefore, we can conclude that it’s not a matter of if, but when, a major ransomware attack on AWS will occur.”
Protecting S3 buckets from ransomware attacks
The researchers pointed out that despite the elevated risks of ransomware attacks against S3 buckets, organizations could take various steps to protect their AWS accounts and improve their overall cloud security posture.
They recommended the “least privilege” access strategy to eliminate most toxic combinations necessary for compromising S3 buckets on vulnerable AWS accounts. This strategy involves assigning the “bare minimum of permissions” required for IAM users to perform their jobs. It also involves denying sensitive actions, privatizing all public S3 buckets, separating duties, and removing inactive roles and inactive users from their AWS accounts.
Other suggestions include removing risk factors (rotating access keys, enabling MFA, and disabling unused credentials), logging and monitoring, deletion prevention, and bucket replication.
“This report highlights the urgent need to “detect threats” in the cloud and not just focus on misconfigurations,” says Saumitra Das, CTO and Cofounder, Blue Hexagon. “Research from Cloud Security Alliance shows that even if misconfigurations are detected in S3 buckets or IAM access keys not being used for a long time, it takes a while for these to get detected and remediated – sometimes days, weeks and even months.”