The Bucket List: Experiences Operating S3 Honeypots

Cameron Ero - The Bucket List: Experiences Operating S3 Honeypots 2017 was a blockbuster year for breaches, with everything from Russian espionage to Equifax. However, if you read between the eye-popping headlines you'll notice another concerning trend - this was the year of S3 bucket incidents. Extensive research has been published about hunting for publicly exposed buckets, and several open source tools exist that make it easy. Unfortunately, not a lot of research has been published from the defensive side. Who is hunting for my buckets, what are they looking for, and what tools are they using? How do I know if someone is attempting to access my S3 assets? In order to answer these questions, I've been operating a fleet of honeypot S3 buckets for months and closely monitoring who accesses them. During my presentation I will go over my findings as well as some of the tools, techniques, and practices that researchers use to find public buckets plus what they did once they found them. Also, I will discuss how to monitor access to your S3 assets and how to operationalize S3 honeypots within your own organization.