Over the past few years we have seen plenty of news about data being stolen from misconfigured Amazon S3 buckets and other cloud based services. Now attackers are figuring out ways to further abuse these systems beyond simply stealing data.
Many of the buckets subject to this attack were exposed to the public on purpose, since they are hosting content that should be publicly available. The issue here is that the buckets were given permissions that were too elevated for their function – specifically read/write everyone, instead of read everyone.
Amazon seems to have taken some steps to alleviate the problem recently; when creating new buckets, the wizard is more detailed and explicit about bucket permissions. In the past, permissions depended on the knowledge level of the person implementing them. However, it can still be confusing if you are not familiar with the terminology, or you have not taken a deep dive into the documentation.
I believe some misconfigurations are caused by confusion about permission options as well as logic of how these permissions are applied. If you are doing anything with configuring policies and ACLs in AWS, please read over the Policy Evaluation Logic documentation, it will greatly aid in configuring your environment correctly.
I hope this helps you understand a little more about this threat and how to mitigate it. If you have any questions, or need help with this issue, or AWS security in general, please contact us at firstname.lastname@example.org.