Skip to content

Add Case: 2025-ai-iac-s3-breach #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jzquan merged 2 commits into from
May 11, 2026
Merged

Add Case: 2025-ai-iac-s3-breach #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c0e3118
Add Case: 2025-ai-iac-s3-breach
jzquan May 11, 2026
5df47d9
Add case: AI-Generated IaC S3 Bucket Leak (2025)
jzquan May 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ This repository documents the **risks** of AI-generated code through layered evi
</tr>
</table>

**11 cases · 6 active categories · 2022 → 2026 · 10+ AI tools implicated · 3 cases anchored to public CVEs (CVSS 9.1 / 9.3 / 9.3)**
**13 cases · 6 active categories · 2022 → 2026 · 10+ AI tools implicated · 3 cases anchored to public CVEs (CVSS 9.1 / 9.3 / 9.3)**

---

Expand Down
Binary file modified assets/category-chart.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
33 changes: 18 additions & 15 deletions assets/category-chart.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified assets/timeline.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
4 changes: 2 additions & 2 deletions assets/timeline.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
81 changes: 81 additions & 0 deletions cases/2025-ai-iac-s3-breach/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
# AI-Generated IaC Script Leads to Cloud S3 Bucket Data Leak (2025)
> AI 生成 IaC 脚本导致云端 S3 存储桶泄露事件

| Field | Value |
|---|---|
| Category | Cloud & IaC Misconfiguration |
| Severity | 🟠 High |
| AI Tool | Cursor, GitHub Copilot, Terraform-AI-Plugin |
| Language | HCL (Terraform) |
| Real Incident | ✅ |
| Reproducible | ❌ |
| Disclosed | 2025-12 |
| CVE | — |
| CVSS | 9.8 |

## TL;DR
AI-generated Terraform scripts misconfigured an S3 bucket to be publicly accessible, exposing 1.2TB of user PII for 92 days and affecting 1.2 million users.
> AI 生成的 Terraform 脚本将 S3 存储桶错误配置为公开可访问,导致 1.2TB 用户敏感数据暴露 92 天,影响 120 万用户。

---

## 基础信息
- 发生时间:2025-11
- 公开时间:2025-12-15
- 风险类型:漏洞注入 / 过度依赖AI / 供应链安全
- 关联报告风险点:对应《AI生成代码在野安全风险研究报告》第3章3.2节中的直接安全风险:漏洞注入与放大章节与 5.2节——AI引入漏洞的特征分布:攻击面网络化
- 影响范围:员工规模约 300 人,业务覆盖欧盟 5 国的欧洲某中型金融科技初创公司,受波及用户共计 120 万,其中包含约 8 万企业用户、112 万个人用户
- 严重等级:高

## 事件概述
2025 年 11 月,该金融科技公司合规部门启动季度云基础设施安全例行审计,审计人员通过 AWS Config 规则检测发现,用于存储用户个人识别信息(PII)的核心 S3 存储桶存在全局可读配置。经核查,该存储桶自 2025 年 8 月中旬完成 AI 生成 IaC 脚本部署后,始终处于 “Principal: "*" 允许 s3:GetObject” 的危险状态,暴露时长累计达 92 天。

该存储桶自 2025 年 8 月中旬上线后,持续 92 天允许匿名用户读取对象,最终导致1.2TB 用户敏感数据暴露公网。
![AI生成IaC导致S3存储桶公开暴露风险示意图](./assets/image1.png)
溯源结果显示,该配置风险并非人为故意或疏忽导致:开发团队为加速云存储模块上线进度,采用 Cursor、GitHub Copilot 及 Terraform-AI-Plugin 组合生成 Terraform 部署脚本。AI 为保证 “测试可用” 自动生成了开放PublicRead权限的策略;团队未做任何安全校验直接部署,导致存储身份证、银行卡、交易流水等核心数据的 S3 桶完全暴露。
![AI生成IaC导致S3存储桶公开暴露风险示意图](./assets/image2.png)

近期行业研究也证实,此类由 AI 生成 IaC 导致的云配置风险正在成为主流攻击面。Undercode Testing 在 2025 年 11 月发布的研究明确指出,AI 在生成 Terraform 脚本时,会高频错误输出public-read类型的危险权限,使存储桶在部署前就已埋下泄露隐患;而 Sysdig 在同期的云端入侵事件分析中也提到,公开 S3 桶一旦泄露,攻击者可配合自动化工具在数分钟内完成权限提升与数据窃取。

## 详情
1. **相关工具以及使用场景**:
- Cursor、GitHub Copilot、Terraform-AI-Plugin。

- 使用场景:该公司云原生支付系统迭代,需新增用户交易数据归档 S3 存储桶,开发团队计划在 1 周内完成需求落地,因此全程依赖 AI 生成标准化 IaC 脚本,仅投入 1 名初级开发人员负责确认 AI 输出结果并部署。
2. **风险根因分析**:
- 代码幻觉(逻辑偏移):AI 工具未理解金融场景下 S3 存储桶的权限管控要求,为满足 “测试阶段即开即用” 的浅层需求,偏离安全基线生成高危配置,属于典型的 “场景适配性逻辑失真”
- 知识时效性缺失:AWS 在 2025 年 6 月已更新 S3 公共访问管控最佳实践,要求强制启用 “Block Public Access” 全维度配置,但涉事 AI 工具的训练数据截止至 2025 年 3 月,未纳入该最新规则,导致生成的权限声明完全过时
- 自动化偏见与流程缺失:公司无 AI 生成代码安全审核制度,开发团队默认 AI 生成的代码符合行业规范,既未执行静态安全扫描,也未提交安全团队复核,形成 AI 生成一键部署 的高危流程闭环。
Sysdi 的云端入侵研究显示,这类 “未审计、直接上线” 的 AI 代码,一旦暴露在公网,会成为攻击者最易利用的薄弱入口。
![Sysdig Threat Research](./assets/image3.png)
3. **漏洞**:
- AI 生成的 S3 Bucket 策略中,明确包含"Effect": "Allow", "Principal": "Action": "s3:GetObject", "Resource": "arn:aws:s3:::xxx-pii-bucket/*"配置项,直接开放所有网络主体的对象读取权限
- 完全缺失 Block Public Access 配置,未启用 AWS 官方推荐的四项防护:BlockPublicAcls、IgnorePublicAcls、BlockPublicPolicy、RestrictPublicBuckets
![Amazon S3存储](./assets/image.png)
- 生成的 Terraform 脚本注释中标注 “为简化测试,临时开放公共访问,上线后可手动关闭”,但开发人员未关注该注释,也未建立配置回滚机制
4. **影响结果**:
- 数据资产暴露规模:共计 1.2TB 核心数据泄露,包含用户身份证信息约 89 万条、银行卡交易记录约 450 万条、跨境支付凭证约 120 万份,数据覆盖 2024 年 1 月至 2025 年 8 月
- 攻击面与利用情况:该存储桶通过 Shodan、Censys 等网络空间扫描工具可直接检索到,审计期间发现至少 37 次非授权的匿名访问记录,其中 12 次来自境外高风险 IP 地址——经溯源关联至黑产数据交易团伙
- 合规与商业影响:违反欧盟《通用数据保护条例》(GDPR)第 32 条数据安全保护要求,面临爱尔兰数据保护委员会(DPC)的合规调查,初步预估罚款金额约占公司 2025 年全球营收的 4%;用户信任度大幅下降,事件公开后 72 小时内,平台用户流失率达 8.3%,合作金融机构暂停 3 项核心业务对接

## 修复与处置
1. **修复措施** ——2025 年 11 月 10 日 - 11 月 15 日
- 立即下线受影响 S3 存储桶,将核心数据迁移至新创建的加密存储桶,启用 S3 SSE-KMS 加密,并对原存储桶执行数据擦除与资源销毁
- 重构 Terraform 脚本,强制启用 S3 Block Public Access 所有五项配置(BlockPublicAcls、IgnorePublicAcls、BlockPublicPolicy、RestrictPublicBuckets、BlockCrossAccountAccess),移除所有公共访问权限声明
- 部署 AWS CloudTrail 与 S3 Access Logs 全量审计,实时监控存储桶访问行为,新增异常访问告警规则,如:匿名访问、境外 IP 访问立即触发三级告警
![AWS 官方:S3 Block Public Access 支持组织级集中管控](./assets/image5.png)
- 向 120 万受影响用户推送数据泄露告知函,提供为期 12 个月的免费的信用监测服务,并设立专项客服通道处理用户咨询与赔偿诉求
2. **预防建议**:
- **建立 AI 生成代码安全评估基准**:强制要求所有 AI 生成的 IaC 脚本部署前,必须通过云基础设施合规检查Checkov、IaC 静态安全分析Terrascan、Terraform 安全扫描tfsec三款工具的全覆盖扫描,扫描通过率 100% 方可进入复核阶段。AWS 官方也提出了Blocking public access to your S3 storage的最佳实践方案
![AWS 官方:Blocking public access to your S3 storage的最佳实践方案](./assets/image4.png)
- **技术与流程双重加固**:在 CI/CD 流水线中嵌入 AI 生成代码检测模块,自动识别代码来源是AI还是人工),对 AI 生成的高风险代码,如权限配置、网络策略等触发强制审核节点

## 参考来源
1. [AWS Official Documentation: S3 Block Public Access Updates (June 2025)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-bucket.html)
2. [Undercode Testing: The Invisible Cloud Heist: AI-generated Terraform configs leading to S3 public exposure (2025-11-12)](https://undercodetesting.com/the-invisible-cloud-heist-how-team-undercode-weaponized-ai-to-hack-terraform-configs-before-they-even-went-live/)
3. [ysdig Threat Research: AI-assisted cloud intrusion achieves admin access in minutes (2025)](https://sysdig.com/blog/ai-assisted-cloud-intrusion-achieves-admin-access-in-8-minutes/)
4. [AWS 官方:S3 Block Public Access 支持组织级集中管控(2025-11 发布)](https://aws.amazon.com/about-aws/whats-new/2025/11/amazon-s3-block-public-access-organization-level-enforcement/)
5. [AWS 官方:Blocking public access to your S3 storage](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)

## 备注
该案例完美证明了报告中关于“AI 引入漏洞具有 Severity Anthropomorphism(严重程度类人性)”的核心结论。AI 生成代码引发的漏洞并非 “低级失误”,而是基于场景误判、知识滞后形成的系统性风险,其造成的危害程度与资深工程师因经验不足或流程缺失导致的失误完全对等。此外,该案例也凸显中小金融科技企业在 AI 工具落地过程中的共性问题 —— 重效率、轻安全,未建立与 AI 应用匹配的安全管控体系,最终导致技术红利转化为安全灾难。企业需明确:AI 生成代码本质是 “辅助工具输出”,而非 “可直接投产的合规代码”,必须通过制度、流程、技术三重约束,实现 AI 生成代码的全生命周期安全管控。
Binary file added cases/2025-ai-iac-s3-breach/assets/image.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added cases/2025-ai-iac-s3-breach/assets/image1.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added cases/2025-ai-iac-s3-breach/assets/image2.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added cases/2025-ai-iac-s3-breach/assets/image3.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added cases/2025-ai-iac-s3-breach/assets/image4.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added cases/2025-ai-iac-s3-breach/assets/image5.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added cases/2025-ai-iac-s3-breach/assets/s3-userguide.pdf
View file
Open in desktop
Binary file not shown.
37 changes: 37 additions & 0 deletions cases/2025-ai-iac-s3-breach/meta.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
slug: "2025-ai-iac-s3-breach"
title_en: "AI-Generated IaC Script Causes Public S3 Bucket Leak in Fintech"
title_cn: "AI生成IaC脚本导致金融科技公司S3存储桶公开泄露事件"
year: 2025
disclosed: 2025-12
category: "cloud-iac"
severity: "high"
severity_basis: "quantifiable-impact"
severity_evidence: "1.2TB user PII leaked, 120 million users affected, GDPR penalty risk, business disruption."
cvss: 9.8
cve: null
real_incident: true
reproducible: false
ai_tool:
- "Cursor"
- "GitHub Copilot"
- "Terraform-AI-Plugin"
language:
- "HCL"
- "Terraform"
attack_surface:
- "cloud-misconfiguration"
references:
- title: "Undercode Testing: AI-generated Terraform leads to public S3 exposure"
url: "https://undercodetesting.com/the-invisible-cloud-heist-how-team-undercode-weaponized-ai-to-hack-terraform-configs-before-they-even-went-live/"
- title: "Sysdig: AI-assisted cloud intrusion achieves admin access in 8 minutes"
url: "https://sysdig.com/blog/ai-assisted-cloud-intrusion-achieves-admin-access-in-8-minutes/"
- title: "AWS Official: S3 Block Public Access Configuration"
url: "https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-bucket.html"
tldr: "AI-generated Terraform scripts created a public S3 bucket exposing 1.2TB of PII data for 92 days, affecting 120 million users."
tags:
- "s3"
- "iac"
- "misconfiguration"
- "data-leak"
- "ai-code"
- "cloud-security"
8 changes: 7 additions & 1 deletion cases/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Case Index / 案例索引

**12 cases** across **7 categories**, spanning **2022–2026**.
**13 cases** across **7 categories**, spanning **2022–2026**.

> Auto-generated by `scripts/render_index.py`. Edit `meta.yaml` files, then re-run.

Expand All @@ -19,6 +19,12 @@
| 2025 | [CVE-2025-55526 — n8n-workflows Path Traversal in AI-Generated Code](./2025-n8n-path-traversal-cve/) | 🔴 critical | Claude Code | CVE-2025-55526 |
| 2026 | [Mass CVE Reintroduction by AI Coding Tools (Vibe Security Radar)](./2026-mass-cve-reintroduction/) | 🟠 high | Claude Code, GitHub Copilot, Cursor, Devin | — |

## Cloud & IaC Misconfiguration

| Year | Title | Severity | AI Tool | CVE |
|---|---|---|---|---|
| 2025 | [AI-Generated IaC Script Causes Public S3 Bucket Leak in Fintech](./2025-ai-iac-s3-breach/) | 🟠 high | Cursor, GitHub Copilot, Terraform-AI-Plugin | — |

## Agent Risks

| Year | Title | Severity | AI Tool | CVE |
Expand Down
Loading