The NOC team escalated the ticket to me as a Severity 1 incident: our vulnerability scanning tool, Tenable Nessus, had discovered that an AWS FTP account may have been configured to have an inappropriate level of access, potentially exposing data that should have been restricted.
A Sev1 meant potential data breach, immediate business impact, and leadership was going to want answers fast. I had zero prior experience managing this particular AWS service (Transfer Family) that handled SFTP access to S3 storage.
I didn’t wait and jumped on AWS. I knew time was of the essence because a data leak can be catastrophic.
As I was logging in to AWS I notified the team and started to look for where the permissions were set for that problematic IAM account.
I navigated to the S3 bucket configuration where the FTP service was connecting. Examining the IAM permissions, I could immediately see the problem: the permissions set attached to the FTP user was far too broad as the “jail” was not enabled for that user, effectively granting access to multiple buckets and folders beyond what was needed.
I quickly created a new permissions set that gave that IAM user access to zero AWS services and folders I then created a new IAM role and assigned that problematic user that new role. Then I prepped the user account so it would be properly locked down if we ever reenabled it. I did this by enabling the “jail” for that user so they would be properly limited to their designated directory.
But the user was still effectively disabled until I further verified the extent of any potential damage.
Total time from escalation to resolution: 15 minutes.
After securing the immediate threat, I spent the next 45 minutes:
- Reviewing FTP access logs in AWS to verify whether any data had actually been accessed inappropriately
- Checking for any signs that someone might have attempted to break out of their designated FTP directory structure.
- Documenting exactly what I had done
The investigation showed the exposure was a configuration issue rather than active exploitation – poor initial setup rather than malicious activity. A review of the logs assured us that only 1 legitimate actor from 1 IP address had access to that share, that there was no attempts to breakout of their directory structure, and that NO data was exfiltrated from the company.
By the end of the hour, I had full documentation ready for leadership and steps in place to enable even faster responses to any future similar incidents.