• An identity has a permissions combination which allows it to runsomware.
  • The identity does not have access to the S3 buckets that provide proper mitigation.
  • Identity is at risk of being compromised by one or more additional risk factors, such as public exposure to Internet.

These are the three AWS bucket mechanisms that can be used to mitigate the identified attack vectors:

  • MFA Delete: AWS makes it extremely difficult to permanently delete an object. It allows you to require that the bucket owner include two forms of authentication when requesting to delete or modify the versioning state of the bucket.
  • Object Locking: Simply put object locks store objects within a Write-Once Read-Many (WORM).
  • Bucket Versioning: AWS provides a versioning feature that allows you to set up a bucket to keep versions of objects stored there. A bucket with versioning enabled will not permanently remove a deleted/written-over object; instead, the bucket will retain the old version and present/serve the new version.

Ermetic’s study found that many situations fit the criteria. The study found that more than 70% of the environments included publicly accessible machines that were linked with identities whose permissions could allow the machines to execute ransomware. “Very few companies know that data stored on cloud infrastructures like AWS can be at risk from ransomware attack, so we conducted this study to investigate whether the right conditions exist for Amazon S3 Buckets to be compromised,” stated Shai Morag CEO of Ermetic. “We found that almost all accounts tested were susceptible to ransomware in their S3 buckets.” We can conclude that it is not a matter if but when a major ransomware attack against AWS will occur. The report contains key findings such as:

  • In all, we found identities that could perform ransomware on at most 90 percent of buckets in AWS accounts in every sampled enterprise environment.
  • More than 70% of environments had machines that were publicly accessible to the internet and were linked to identities whose permissions could have been exploited to allow the machines execute ransomware.
  • Over 45 percent of environments contained third-party identities that could perform ransomware. They did this by elevating their privileges up to administrator level. This is an astonishing finding with potentially dangerous implications.
  • Nearly 80 percent of environments had Identity and Access Management users (IAM) that had been disabled for 180 days or more and had permissions that allowed them to runsomware.
  • Nearly 60% of environments had IAM users who had console access without the requirement for MFA at login.