S3 Presigned URLs

Amazon S3 has been in the news lately:

Top Defense Contractor Left Sensitive Pentagon Files on Amazon Server With No Password

The RNC Files: Inside the Largest US Voter Data Leak

Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts

S3’s default configuration does not allow public access to the contents of a bucket, but these stories all feature bucket or object permissions that were open to the world. It’s evident that it’s a common mistake, but how can we avoid it? Continue reading

Public Snapshots

Today’s recommended reading: An Elegant Way to Ruin Your Company’s Day – Introduction to Public AWS EBS Snapshots.

I found the article fascinating because it’s a good look into modern attack strategies. Rather than breaking through defenses, the researchers were able to identify snapshots which had been shared publicly and automatically examine their contents for sensitive-looking data.

Some of the snapshots were only shared for a few minutes at a time, suggesting an intentional collaboration technique. The article demonstrates that even such brief lapses are likely to be exploited. With the private sector’s massive migration to public clouds and the value of those companies’ data, it’s a fair bet that there will always be someone somewhere looking to exploit not-quite-best practices.

Spring 2017 Lab Schedule

We’ll be holding free AWS labs throughout the Spring semester. Here’s the full schedule:

  • January 11 – 1:00 to 4:00 p.m. in 1009 Mechanical Engineering Lab
  • January 25 – 10:00 to 11:30 a.m. in 1009 Mechanical Engineering Lab
  • February 8 – Remote labs from 10:00 to 11:30 a.m.
  • February 22 – 9:30 to 11:00 a.m. in 1001 Mechanical Engineering Lab
  • March 8 – 9:30 to 11:00 a.m. in 27 Illini Hall
  • March 22 – 9:30 to 11:00 a.m. in 27 Illini Hall
  • April 12 – 2:30 to 4:30 p.m. in 1009 Mechanical Engineering Lab
  • April 26 – 2:30 to 4:30 p.m. in 27 Illini Hall
  • May 10 – 9:30 to 11:00 a.m. in 27 Illini Hall
  • June 28 – 9:30 to 11:00 a.m. in 27 Illini Hall

During each lab session, you’ll have your choice of topics:

  • AWS 101: Introduction to EC2
  • Identity and Access Management
  • S3 and CloudFront for content distribution
  • Relational Database Service
  • Automating AWS with CloudFormation
  • Introduction to Lambda
  • Building clusters with Alces Flight
  • Elastic MapReduce

You may run through multiple labs if time allows. An Amazon solutions architect will be on-site with our local staff to offer technical assistance and discuss cloud topics.

Technology Services will grant you access to a shared AWS account for the lab; you don’t need your own. Computers will be available onsite, though you’re welcome to bring your own laptop if you prefer.

Please register here to reserve your seat.

AWS S3 Outage

Amazon has posted their summary of this week’s S3 disruption in us-east-1. While this was just 1 of 60 services in 1 of 16 regions, it had an outsized impact on operations. A number of AWS components and third party services depend on S3 in us-east-1, and the outage cased widespread service disruptions across the internet.

S3 was the first publicly available Amazon service, and us-east-1 was the first AWS region, which helps explain why so many services were built on this particular instance of the service.

In the summary, Amazon transparently details what went wrong as well as the measures they’re taking to ensure that this class of mistake cannot reoccur. The lesson I’m taking from this is to expect failures, but ensure that you never fail the same way twice.