Hundreds of Amazon RDS Snapshots Discovered Leaking Users’ Data
Hundreds of Amazon relational database service (RDS) instances have been found exposed monthly, with extensive leakage of personally identifiable information (PII).
The discovery has been made by security researchers at Mitiga, who published a post about the findings on Wednesday.
The Platform-as-a-Service (PaaS) tool, first released by Amazon in 2009, provides a database platform based on various optional engines (e.g., MySQL, PostgreSQL, etc.).
When using the RDS service in AWS, users can deploy RDS snapshots to back up the entire database (DB) instance instead of individual databases.
Snapshots can then be shared across different AWS accounts, both internal and external to an organization. Public RDS snapshots, in particular, allow users to share public data or a template database with an application.
“With that, one might unintentionally leak sensitive data to the world, even if you use highly secure network configuration,” Mitiga wrote in the advisory.
Case in point: the company found several snapshots that had been shared publicly for a few hours, days and even weeks, either intentionally or by mistake.
“It’s important to note that making a snapshot public, even for a very short amount of time, can have unwanted outcomes. Our research shows how a threat actor might take advantage of snapshots that are shared for even a short timeframe,” Mitiga wrote in its advisory.
According to Erich Kron, security awareness advocate at KnowBe4, while cloud storage is convenient, it can also be tricky to secure for people unfamiliar with it.
“The ability to do snapshots and share them, while very convenient, it’s something that can easily lead to issues that leave information exposed.”
The executive explained that while poorly configured permissions within an on-premise network are still a serious issue, the likelihood of a misconfiguration exposing information to millions of other people can be much lower.
“For organizations that store or process data within the cloud, processes should be in place to ensure that data remains protected even after making changes,” Kron told Infosecurity.
“The practice of having a second person confirm the permissions on data, while it can be inconvenient, can potentially save a lot of labor and the potential for fines, especially in heavily regulated industries.”
The Mitiga advisory comes two months after Snyk suggested 80% of organizations suffered a “severe” cloud security incident over the past year.