Finding and evaluating the effects of improper access control in the Cloud
Abstract: The Cloud storage service S3 provided by Amazon Web Services(AWS) has seen many data leaks due to misconfiguration in the access control. S3 provides storage of arbitrary data in containers called ”Buckets”, storing data referred to as ”Objects”.This thesis contextualizes the issues with misconfiguration by systematically finding vulnerable buckets. Vulnerable in the sense that they provide access rights such as read and write to unauthorized users. AWS has the most significant cloud marketshare as of 2021. AWS launched S3 in 2006. Still to this day, there are reports of attacks exploiting the containers. Further motivation for the work is that customersof S3 are, i.a., actors within industries with heavy regulations, such as finance, healthcare, etc. In order to find such vulnerable buckets, a script was written in the programming language Python. The script sends requests to guessed bucket names and examines the access control settings by reading the responses. Further, three different types of attacks towards misconfigured S3-buckets are demonstrated to provide a picture of what a potential adversary can achieve with a misconfiguredbucket. The findings in the thesis show that approx. 1,0% of 2345 found andconfirmed existing buckets, granted the right for any authenticated AWS user to read,write, and modify the access control list. Further, out of the found buckets, approx.1,3% allowed anyone to modify the access control list. The work emphasizes the importance of proper configuration of the service and discusses the bigger picture of challenges organizations migrating services to service providers via the cloud mightface.
AT THIS PAGE YOU CAN DOWNLOAD THE WHOLE ESSAY. (follow the link to the next page)