S3 Buckets: Not so Simple?

Published On September 5, 2017 | By Jason Wool and Marci Rozen | FTC

Uber has agreed to settle a complaint stemming from allegations that the ride-hailing company made deceptive claims concerning its data security practices following a 2014 data breach. The data breach in question affected an Amazon Web Services (AWS) Simple Storage Service (S3) bucket, and the FTC’s complaint is remarkable in that it focuses on several AWS-specific details to support the Commission’s claims. The timing of the FTC’s complaint is also notable, as a series of public security incidents have come to light over the last several months related to or arising from misconfigured S3 buckets, which have exposed personal records of millions of consumers. Together with these news stories, the FTC’s complaint may lead some to wonder whether the use of S3 buckets for the storage of sensitive data is an inherently risky endeavor, but the truth is that the allegations in the Uber complaint fall neatly within the set of recommended data security practices that the FTC has long heralded.

The FTC’s complaint contains two basic allegations. First, it alleges that Uber claimed that “internal access to consumers’ personal information is closely monitored and audited by data security specialists on an ongoing basis,” when in fact Uber stopped using its automated monitoring system less than a year after it was put in place. Second, the complaint alleges that Uber represented publicly “that it would provide reasonable security for consumers’ personal information stored in its databases,” but failed to implement proper controls on the AWS S3 Datastore storing such personal information. The latter allegation hinges on Uber’s use of S3 buckets “to store a variety of files that contain sensitive personal information,” including “full and partial backups of Uber databases.”

Specifically, the FTC alleges that Uber’s S3 data store:

  • Failed to require programs and engineers that access S3 buckets to use distinct access keys, instead permitting all programs and engineers to use a single AWS access key that provided full administrative privileges over all data in the Uber AWS environment;
  • Failed to restrict access to S3 buckets based on employees’ job functions; and
  • Failed to require multi-factor authentication for access to S3 buckets;

The FTC also alleges that Uber at various times failed to implement reasonable security training and guidance, failed to have a written information security program, and stored sensitive personal information in S3 buckets in clear text, rather than encrypting it.

Although not explicitly noted in the complaint, there are several connections between these security shortcomings and the Commission’s previous data security guidance and enforcement actions:

Failure to monitor network activity

In enforcement actions against EPN, Inc. and Lifelock, Inc., the FTC identified deficient security practices where the businesses did not adequately log network activity or regularly record and review activity on the network, respectively. Additionally, in Start with Security – A Guide for Business, the Commission notes that it has brought enforcement actions against companies that failed to use sufficient measures to detect unauthorized access. When the FTC called out Uber’s use of a single AWS access key for all programs and engineers, the FTC may have had Uber’s ability to adequately monitor its network in mind. According to Amazon: “When you access AWS programmatically, you use an access key to verify your identity and the identity of your applications . . . Anyone who has your access key has the same level of access to your AWS resources that you do.” Uber’s use of a single access key could impair the company’s ability to detect unauthorized access, because users and programs using the access key would be indistinguishable.1

Failure to follow the “least privilege” principle

The FTC essentially alleged that Uber’s practice of providing all engineers with full administrative access to its S3 buckets was a violation of the “least privilege” principle, i.e. that employees should only have the level of access they require to do their jobs. The FTC has repeatedly pointed to the least privilege principle as a core element of reasonable security, including in Start with Security (recommending that employees’ access to a system’s administrative controls be tailored to their job needs), Protecting Personal Information – A Guide for Business (“each employee should have access only to those resources needed to do their particular job”), and in its recent blog series, Stick with Security (“not everyone on your staff needs unrestricted access to all confidential information you keep”). Specifically, in Start with Security, the FTC states that administrative access “should be limited to the employees tasked to do that job.”

Failure to require multi-factor authentication

The Commission has also pointed to multi-factor authentication as an appropriate access control in some contexts, particularly for password storage and remote network access. Especially in light of the latter, it is not surprising that the FTC would expect a company to implement multi-factor authentication in a Platform as a Service environment like an AWS S3 data store.2

One of the big takeaways from the Uber settlement is that cloud environments, especially those that are highly configurable such as AWS, are subject to the same FTC expectations of reasonable security regardless of the fact that cloud platforms are, to some extent, third party operated. The lesson is not that personal information should not be stored in the cloud. Rather, the FTC’s implicit point is that cloud environments are subject to the same broad data security expectations, including with regard to access controls, least privilege, network monitoring, and the like, as warranted by the risk posed by the data in question.

Footnotes
  1. Notably, AWS’s user guide recommends, among other practices, using different access keys for different applications, rotating keys periodically, and perhaps most importantly, creating “an IAM user and grant[ing] that user only the permissions he or she needs,” then generating that user their own access key.
  2. AWS’s user guide also states that AWS “recommend[s] that you configure multi-factor authentication (MFA) to help protect your AWS resources” for security purposes.”

 

About The Authors

Jason Wool’s practice focuses on cybersecurity, including cyber risk management, incident response, and compliance with global data protection laws, regulations, and standards, including the PCI-DSS. He has advised organizations ranging from small businesses to Fortune 500 companies during complex, privileged computer crime investigations; provided ongoing advice on the development of cybersecurity programs and cybersecurity governance structures; conducted tabletop exercises and other data breach simulations; and assisted clients with large scale audits to determine compliance with complex cybersecurity standards.

Marci counsels companies on a wide variety of issues involving privacy, cybersecurity, and information law. She routinely helps companies evaluate and develop corporate privacy and information security programs, and provides advice on matters involving cross-border data transfers, insider threat prevention and detection, cloud computing, and electronic surveillance. Marci also assist clients in responding to data breaches, including issuing breach notifications required under state and federal breach notification laws, advising on remediation efforts, and handling litigation and enforcement actions arising from data security incidents.

Comments