Key Takeaways

• News of a Google Cloud Storage bucket data leak has once again drawn public attention to the risks of misconfigured cloud storage buckets, one of the most common cloud security issues and causes of data leaks.
• Alice’s Table, a former contestant on ABC’s Shark Tank, inadvertently leaked the personally identifiable information (PII) of more than 83,000 customers from a misconfigured Google Cloud Storage bucket.
• The leak underscores the importance of cloud storage bucket access controls as well as regularly auditing permissions and monitoring for data leaks.
• Cloud storage bucket leaks are very common – Cyble Odin is presently detecting more than 500,000 such exposures between AWS and Google Cloud Storage.
• We look at best practices for cloud storage bucket access control – and ways to detect unintended exposures.

Overview

A Google Cloud Storage bucket leak has brought renewed attention to the risk of misconfigured cloud storage buckets, one of the most common cloud security issues and causes of data leaks.

Alice’s Table, a former contestant on ABC’s Shark Tank, apparently inadvertently leaked more than 37,000 files from a misconfigured Google Cloud Storage bucket, including personally identifiable information (PII) of more than 83,000 customers, such as full names, email addresses, and home addresses.

Some of the accounts were associated with organizations, ranging from Pfizer, PwC, and Charles Schwab to government accounts. The information could be used for malicious purposes, such as phishing and identity theft.

The leak underscores the importance of cloud storage bucket access control, and regularly auditing permissions and monitoring for data leaks.

Cloud storage bucket misconfigurations are surprisingly common – Cyble’s Odin vulnerability search tool is currently detecting more than 332,000 exposed AWS storage buckets and more than 168,000 Google Cloud Storage exposures.

We look at best practices and options for cloud storage access management – and ways to detect unintended or malicious access.

Cloud Storage Bucket Access and Configuration Best Practices

We don’t know exactly what went wrong in the Alice’s Table data exposure, but managing access to cloud storage buckets is a tricky practice that even the largest organizations can get wrong. We’ll look at access control options for cloud storage buckets in Google Cloud, how to make a bucket or objects readable to the public as securely as possible, and options for monitoring and detecting exposed buckets and data.

Restrict Storage Bucket Access By Default

The best way to secure a Google Cloud Storage bucket is to not make it public in the first place. Access to Cloud Storage buckets is restricted by default, but there may be legitimate reasons why users would want to make a bucket public.

Google Cloud Storage offers two means for controlling access to storage buckets: Identity and Access Management (IAM) and Access Control Lists (ACL). IAM is the preferred method for securing buckets, but ACLs can be used to configure access for specific objects in a bucket.

Google recommends uniform bucket-level access, which disables ACLs and makes IAM the exclusive means for access control. The more fine-grained approach of using IAM and ACLs together poses a great risk of exposing data.

Public access prevention is perhaps the strongest level of control, as it overrides IAM and ACL.

Making a Cloud Storage Bucket Readable to the Public

To make all objects in a bucket readable to everyone on the public internet, you can  grant the principal allUsers the Storage Object Viewer (roles/storage.objectViewer) role, which includes the permission required to list the objects in the bucket, but a safer approach is to grant the Storage Legacy Object Reader role (roles/storage.legacyObjectReader) so users can access objects without listing them.

Another way to balance access and risk is to use managed folders, which allow fine-grained access to specific groups of objects with a bucket.

Detecting Exposed Cloud Storage Buckets

There’s no easy way to detect exposed cloud storage buckets (usage logs are one possible option), so routine audits of bucket access permissions – and potentially removing permissions for allUsers and allAuthenticatedUsers – is a critically important practice.

Data loss prevention (DLP) tools can help you identify where you have sensitive data stored that needs to be protected, and cloud security posture management (CSPM) tools can help you identify configuration issues.

Other important cloud storage security and compliance practices include object versioning, object encryption, and retention and lifecycle management.

Cyble Odin can help organizations detect exposed cloud storage buckets, and dark web monitoring tools such as those from Cyble can give organizations an early warning when leaks do occur so they can respond faster and take action to secure accounts and data.

Related