S3 bucket security has certainly made the headlines in the last year. S3 buckets, if configured properly, are quite secure. However, we’ve seen numerous high-profile organizations suffer data leaks due to S3 buckets that have been left with poor public access permission settings. In 2017, large amounts of sensitive US Department of Defense data were leaked from a publicly accessible Amazon server. In another instance, Accenture, a leading consulting company, left its S3 buckets exposed, allowing anyone with the right web address to access and download customer information, API data, and more.
But the good news is, security leaks were mainly due to very simple misconfigurations and it’s quite easy to ensure that your S3 bucket data leaks are minimized. In previous posts, we discussed the AWS Shared Responsibility Model and AWS network security. In the last of this three-article series, we will highlight some of the best ways to secure S3 buckets and explain the role the N2WS Cloud Protection Manager (CPM) plays in securing them.
How to Secure S3 Buckets
There are quite a few recommended actions in order to protect your sensitive information in your S3 buckets, in order to minimize your risk of exposed data either from account breaches or losses. You can take advantages of various tools from the AWS console itself as well as additional tools like N2WS. First, we’ll discuss what AWS recommends in terms of some best practices that will decrease data leaks if they are followed carefully.
Keep track of who has been granted access to S3 buckets and objects, and the level of privileges that have been granted. Although access to S3 buckets is private by default, write access to everyone automatically grants delete access to S3 objects. Therefore, access to S3 buckets should be restricted to a small number of trusted individuals. Similarly, granting read access to everyone allows all users to read the data saved in S3 buckets. It is important to know that you can use access control lists for granular permissions and enable multi-factor authentication before an object is deleted.
Audits and Monitoring
Internal transfers and new hires are common in any team. Regular audits should be performed to ensure that rights have been modified according to the role of the individual. Additionally, logging should be enabled for S3 buckets so that actions performed can be referenced in case of an issue.
In November 2017, AWS announced a new feature that provides default encryption for all of the objects stored in a bucket. With this feature in place, you do not need to create a separate policy to reject unencrypted objects.
Use cross-region replication (CRR) to secure critical S3 bucket data. In addition to copying the object and tags, CRR will overwrite the access control list and provide full access to the owner of the replica. This will ensure complete segregation of rights between the original copy and the replica.
Initiate a backup of your critical S3 buckets so that data can be restored from the backup copy in case of unexpected modifications or breaches. N2WS offers a free version of CPM that helps with backup, recovery, and disaster recovery of Amazon EC2 instances.
Hassle-Free Backup & Recovery with N2WS CPM
CPM is an N2WS service available in the AWS Marketplace. Once you install and configure the Amazon Machine Images (AMI), you can use CPM for data backup, recovery, and disaster recovery.
You can back up five types of targets with CPM: Amazon EC2, Amazon RDS, Amazon EBS, Amazon Redshift, and Amazon Aurora. Amazon EC2 employs Amazon S3 for storing AMIs. With CPM, you can quickly restore the AMI and continue working in the case of malicious activity. Additionally, Amazon EC2 uses Amazon S3 for storing backup copies of EBS volumes. With CPM, you can store the backup copies across various regions and restore them as needed.
CPM also provides a centralized management console for multiple AWS accounts. The console’s self-service capabilities simplify backup activities such as defining backup frequency and configuring start and end times of the backup schedule.
Closing the Circle
Amazon S3 has played a major role in the success of AWS and numerous other organizations. Because of this, AWS understands the importance of securing S3 buckets. In order to ensure data security, customers must follow best practices (as part of the AWS Shared Responsibility Model) such as regular audits, encryption, and data backup.
N2WS offers a free version of CPM (as a proof of concept), which allows you to protect up to five Amazon EC2 instances from data loss.