BSidesSF 2018 has ended
Back To Schedule
Sunday, April 15 • 4:10pm - 4:40pm
The Bucket List: Experiences Operating S3 Honeypots

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
2017 was a blockbuster year for breaches, with everything from Russian espionage to Equifax. However, if you read between the eye-popping headlines you'll notice another concerning trend - this was the year of S3 bucket incidents.

Extensive research has been published about hunting for publicly exposed buckets, and several open source tools exist that make it easy.
Unfortunately, not a lot of research has been published from the defensive side. Who is hunting for my buckets, what are they looking for, and what tools are they using? How do I know if someone is attempting to access my S3 assets?

In order to answer these questions, I've been operating a fleet of honeypot S3 buckets for months and closely monitoring who accesses them. During my presentation I will go over my findings as well as some of the tools, techniques, and practices that researchers use to find public buckets plus what they did once they found them. Also, I will discuss how to monitor access to your S3 assets and how to operationalize S3 honeypots within your own organization.


Cameron Ero

Security Engineer, Okta
Cameron Ero is a Security Engineer based in San Francisco, currently working with Okta as part of their Detection and Response Team. He has previously been a member of several blue teams including the Mandiant CIRT and FireEye Advanced Detection Team. Cameron is an alumnus of Towson... Read More →

Sunday April 15, 2018 4:10pm - 4:40pm PDT
AMC - Theatre 7