GoDaddy data exposed by AWS employee misconfiguring cloud instance
Data exposures caused by misconfigured Amazon Web Services Inc. cloud storage instances have become so common it’s hard to put a number on them, but in a twist this time, an error by an AWS employee has exposed confidential information from GoDaddy Inc.
The exposure, first uncovered by security firm UpGuard Inc., involved GoDaddy data found to be residing on an Amazon S3 bucket open to the public. The data included high-level configuration information for tens of thousands of systems and pricing options for running those systems in Amazon AWS, including the discounts offered under different scenarios.
“Essentially, this data mapped a very large scale AWS cloud infrastructure deployment, with 41 different columns on individual systems, as well as summarized and modeled data on totals, averages, and other calculated fields,” UpGuard noted. “Also included were what appear to be GoDaddy’s discounts from Amazon AWS, usually restricted information for both parties, who must negotiate for rates.”
UpGuard advised GoDaddy that the data was exposed nearly two months ago and it appeared that GoDaddy ignored the advice and continued to expose the data. But this is where the typical misconfigured AWS cloud instance story takes a twist. As it turns out, the public exposure of the data was caused by an Amazon employee.
“The bucket in question was created by an AWS salesperson to store prospective AWS pricing scenarios while working with a customer,” Amazon said in a statement reported by Dark Reading. “No GoDaddy customer information was in the bucket that was exposed. While Amazon S3 is secure by default, and bucket access is locked down to just the account owner and root administrator under default configurations, the salesperson did not follow AWS best practices with this particular bucket.”
The data is no longer publicly exposed and there’s no evidence of it being stolen for nefarious purposes. And GoDaddy isn’t at fault, but the company uses the promotional line of “website protection you can count on,” so it’s not a good look.
For Amazon, it’s an unfortunate accident in a sea of previous data leak stories where it hasn’t been at fault. To its credit, it accepted liability in this case, but it is concerning that the “accident” happened in the first place.
Image: GoDaddy
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU