File this under “Disheartening that we are still seeing this“. AWS has this feature where you can make your RDS backups public, making it easy to share them with other AWS accounts to spin up new database instances. Doesn’t mean you should though.
Research team over at MITIGA have published a very exhaustive look at their analysis on how they discovered not only a huge amount of publicly available data backups, but of those, an alarmingly large amount of them that had Personally Identifiable Information (PII) data.
We wouldn’t even call this hacking. Incompetent cloud engineers have packaged up the complete database, and left it out on the doorstep for anyone, passing by, who is interested in it. No need to worry about breaching firewalls, network layers, or even guessing at username/password combinations.
The article’s statistics are demoralizing to anyone in the cloud and security space.
- The total number of snapshots seen in this month (Oct 22) was 2,783
- Of those 2,783 snapshots, 810 snapshots were exposed during the analyzed timeframe
- Additionally, 1,859 snapshots of the 2,783 were exposed for just 1-to-2 days
There simply is no excuse for this sloppy and incompetent practice. It demonstrates a complete lack of respect for security and instead of going down the path of securing with IAM roles, they just thought it easier to make it public. Ease of use I am sure, they said to themselves, convincing themselves no one will know.
As the old saying, with great power comes great responsibility. Learn the tools. We need more name and shaming so people start taking this more serious. Don’t just name the company, but the head of security or cloud that allowed this to happen under their watch.
To read the full report head on over to MITIGA
alan williamson 