Thousands of databases hosted on Amazon Web Services Inc.’s Relational Database Service have been found to be leaking personally identifiable information, providing a potential treasure trove for threat actors.

Discovered and detailed today by researchers at Mitiga Security Inc., the exposure comes through a snapshot feature in Amazon RDS that is used to back up the hosted databases. The feature allows users to share public data or a template database with an application, including creating a Public RDS snapshot for sharing without having to deal with roles and policies.

The problem is that the snapshots can often sit exposed for anywhere between minutes to even days and weeks, full of PII that is desirable to threat actors.

“Leaked snapshots might potentially be [a] very valuable asset for a threat actor — either during the reconnaissance phase of the cyber kill chain (databases can include sensitive technical data that can be used for exploitation, like API keys) or for extortion or ransomware campaigns,” the researchers note. “Making a snapshot public, even for a very short amount of time, can have unwanted outcomes.”

To highlight how a threat actor could access the data, the researchers developed an AWS-native technique using AWS Lambda Step Function and boto3 — the software development kit for the programming language Python — to scan, clone and extract sensitive information from RDS snapshots at large scale. Over a month through Oct. 20, the researchers observed 2,783 RDS snapshots, of which 810 were exposed publicly throughout the entire month. Additionally, 1,859 snapshots of the 2,783 were exposed for one to two days, enough time for an attacker to obtain them easily.

Information in the exposed snapshots included addresses, passwords, credit card details, tokens, phone numbers, passport numbers and more, all information that can be used by hackers.

The fault here does not lie with AWS. The researchers note that AWS not only makes RDS users aware of publicly exposed snapshots but also provides tools such as AWS Trusted Advisor that detects security issues and recommends steps to remediate them.

Surprisingly, there is a simple way to share RDS snapshots without exposing PII: encrypting them. The researchers note that AWS enables users to encrypt a snapshot with a shared KMS key, negating the issue.

For organizations that store or process data within the cloud, processes should be in place to ensure that data remains protected even after making changes, Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “The practice of having a second person confirm the permissions on data, while it can be inconvenient, can potentially save a lot of labor and the potential for fines, especially in heavily regulated industries,” Kron added.

Image: PXhere