Misconfigured cloud storage buckets have leaked hundreds of millions of medical, voter, and customer records. These breaches are due to a combination of easily-guessable bucket names and error-prone security configurations, which, together, allow attackers to easily guess and access sensitive data. In this work, we investigate the security of buckets, finding that prior studies have largely underestimated cloud insecurity by focusing on simple, easy-to-guess names. By leveraging prior work in the password analysis space, we introduce Stratosphere, a system that learns how buckets are named in practice in order to efficiently guess the names of vulnerable buckets. Using Stratosphere, we find wide-spread exploitation of buckets and vulnerable configurations continuing to increase over the years. We conclude with recommendations for operators, researchers, and cloud providers.

翻译：配置错误的云存储桶已泄露数亿条医疗记录、选民记录和客户记录。这些安全漏洞是由于桶名称易于猜测与安全性配置易出错共同导致的，这使得攻击者能够轻易猜测并访问敏感数据。在本研究中，我们调查了云存储桶的安全性，发现以往研究由于仅关注简单、易猜测的桶名称，大大低估了云安全风险。通过借鉴密码分析领域的先前工作，我们引入了平流层系统，该系统能够学习实际中桶的命名方式，从而高效猜测易受攻击的桶名称。利用平流层系统，我们发现对云存储桶的广泛利用及其易受攻击的配置状况正逐年加剧。最后，我们为运营商、研究人员和云服务提供商提供了相关建议。