Threat Update
Over 50,000 patient records at a Utah-based COVID-19 testing service were exposed due to a common AWS S3 cloud security misconfiguration. This mishap led to a severe breach of patient data confidentiality, giving malicious actors an opportunity to steal patient data and representing a tedious and costly compliance violation failure for the testing service.
Technical Detail & Additional Information
WHAT IS THE THREAT?
On February 22nd, 2021, it was revealed that thousands of ID scans, including passports, driver’s licenses, medical insurance cards, and more were left accessible on the web due to two AWS S3 buckets that were configured without a password or other authentication measures required to access them. Any organization that utilizes Amazon Simple Storage Service (S3) runs the risk of allowing such a vulnerability if AWS S3 security best practices are not followed.
WHY IS IT NOTEWORTHY?
While this particular incident led to the exposure of a medical organization’s protected health information (PHI) and a violation of the Health Insurance Portability and Accountability Act (HIPAA), a misconfigured AWS S3 bucket can lead to a disastrous data breach for any type of organization. Anything you store in a misconfigured AWS S3 instance—whether sensitive client data, proprietary information, or intellectual property—could be accessed and exploited by threat actors.
WHAT IS THE EXPOSURE OR RISK?
When left exposed to the web, an AWS S3 bucket provides anyone, including threat actors, with access to the data within it. Not only does this present potential compliance violations, but it also provides the opportunity for malicious parties to use your organization’s stolen data to inflict further damage on your clients, business activities, and reputation.
WHAT ARE THE RECOMMENDATIONS?
To prevent similar breaches from occurring at your organization, SKOUT recommends familiarizing yourself with the AWS Shared Responsibility Model and hardening your AWS S3 instance by implementing security best practices. These include:
Preventative measures:
- Ensure that your Amazon S3 buckets use the correct policies and are not publicly accessible
- Implement least privilege access
- Use IAM roles for applications and AWS services that require Amazon S3 access
- Enable multi-factor authentication (MFA) Delete
- Encrypt both data at rest and data in transit
- Implement S3 Object Lock
- Enable versioning
- Consider Amazon S3 cross-region replication
- Consider VPC endpoints for Amazon S3 access
Monitoring and Auditing measures:
- Identify and audit all your Amazon S3 buckets
- Implement monitoring using AWS monitoring tools
- Enable Amazon S3 server access logging
- Use AWS CloudTrail
- Enable AWS Config
- Consider using Amazon Macie with Amazon S3
- Monitor AWS security advisories
References:
For more in-depth information about the recommendations, please visit the following links:
- https://sonraisecurity.com/blog/another-s3-bucket-leads-to-breach-of-50k-patient-records/
- https://www.comparitech.com/blog/information-security/utah-covid-test-center-leak/
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html
- https://aws.amazon.com/compliance/shared-responsibility-model/
If you have any questions, please contact our Security Operations Center.
