Hack of webpage hosted on S3

Question

This domain name has DNS hosted by Route 53. The DNS "A" record is pointed to an S3 bucket. There is a DNS "CNAME" record for "www" that points to the "A" record.

When you visit this URL (without www), you see the file in the s3 bucket that I intended: index.html. When you visit the URL with www, you see a website hosted by a hacker:

http://printsafe.net
http://www.printsafe.net

The hacker created a bucket using the "www" version of my domain name. He then uploaded his content to that bucket. AWS and S3 server the hacker's content when visiting the "www" version of my domain name.

I solved this by modifying the DNS record in Route 53. For the "www" record, I switched the "www" from a CNAME. I change it to an "A" record that points to 127.0.0.1

John W · Accepted Answer

I do control the DNS. What the hacker did was to configure his own S3 bucket using the "www" variant of my domain name. AWS S3 did NOT detect this or prevent this.

The is a security hole in S3.

Gary Mclean · Answer

If you own the domain printsafe.net then you own the DNS record for www.printsafe.net
Id check DNS configuration and bucket settings are correct.

It may be a case of miss configuration. A hacker cant create a bucket in your subdomain unless they have access to your DNS records.
If you suspect this, then contact AWS Support

Either that or the bucket could be public read/write and someone has modifed the code.

kentrad · Answer

Another way to overcome this situation is to put a CloudFront distribution in front of your S3 bucket. This will allow you to use both addresses and your bucket can have any name. See: 
1. [Amazon S3 + Amazon CloudFront: A Match Made in the Cloud](https://aws.amazon.com/blogs/networking-and-content-delivery/amazon-s3-amazon-cloudfront-a-match-made-in-the-cloud/).
2. [Speeding up your website with Amazon CloudFront](https://docs.aws.amazon.com/AmazonS3/latest/userguide/website-hosting-cloudfront-walkthrough.html)
3. [AWS Free Tier Data Transfer Expansion – 100 GB From Regions and 1 TB From Amazon CloudFront Per Month](https://aws.amazon.com/blogs/aws/aws-free-tier-data-transfer-expansion-100-gb-from-regions-and-1-tb-from-amazon-cloudfront-per-month/)

Piotrek · Answer

If you suspect that your AWS account may have been compromised, please [contact AWS Support](https://support.aws.amazon.com/#/contacts/aws-account-support) immediately.

To route domain traffic to an S3 bucket, use Amazon Route 53 to [create an alias record that points to your bucket](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/RoutingToS3Bucket.html). An alias record is a Route 53 extension to DNS. It's similar to a CNAME record, except you can create an alias record both for the root domain, such as example.com, and for subdomains.

Hack of webpage hosted on S3

関連するコンテンツ