Amazon Web Services (AWS) is a cloud platform designed to meet the growing demand for cloud computing worldwide. AWS provides a set of cloud services such as storage, analytics, blockchain, business applications, security, and machine learning.
Within this cloud environment is Amazon Simple Storage Services (S3), a cloud storage solution bringing scalability, data availability, security, and performance to companies of any size through so-called “buckets” or data containers. S3 is a crucial solution for companies such as Netflix. It leads the cloud storage market alongside Microsoft Azure, Blob Storage, and Google Cloud Storage.
That accessibility and availability, however, also comes with considerable risks. For example, in 2017 technicians discovered that a misconfigured S3 bucket exposed sensitive data belonging to millions of Verifone users.
As a result of such incidents, cloud security has become a fundamental necessity for companies that rely on cloud environments while seeking to reduce cybersecurity and data security risks.
How Secure Are AWS S3 and S3 Buckets?
Like many other cloud storage solutions, AWS S3 operates under a shared responsibility model for data protection and cybersecurity. AWS is responsible for the underlying “security of the cloud” and its infrastructure, while users are responsible for securing their own AWS S3 buckets, known as the “security in the cloud.”
Like many public cloud service providers, AWS offers users some best practices to protect their data, but AWS cannot assure or enforce the use of those practices. The “security of the cloud” has not been the root cause of the various data leaks and breaches of Amazon S3 buckets, but it does not mean that all the responsibility falls on its users.
Although AWS currently makes new buckets private by default, the consensus among cybersecurity specialists is that S3 is designed so that it is too easy to have buckets inadvertently configured as publicly accessible. Advanced features like authenticated user permissions and the interplay between access control lists (ACLs) and bucket policies can confuse AWS users and lead to human errors in the configuration of their S3 buckets.
With the launch of Amazon Macie, a security service focused on the discovery, classification, and protection of sensitive information within the AWS ecosystem, the number of misconfigured buckets has decreased considerably.
Still, these tools only address the consequences of the AWS S3 design problem. Introducing additional features that make it simple to assure S3 storage remains private isn’t the same as eliminating the ability to give public access.
How Can I Protect My S3 Data?
Unlike traditional data storage models, cloud storage solutions greatly facilitate infrastructure protection and assure the availability of these services. Security in the cloud, however (a responsibility of the users), is still essential. Neglecting best practices can have serious repercussions for your company.
Therefore, consider the following safeguards to protect your S3 data:
Identify and Classify Your Information
Identifying the amount and type of information your company has stored in S3 buckets is crucial to protect sensitive information and to comply with different data protection regulations.
Companies working with PII (personally identifiable information), cardholder data, and other personal data covered by data privacy regulations should pay close attention to the placement of this information and the permissions of each bucket that contains it.
Tools such as Amazon Macie ease this process using machine learning which automatically reviews and classifies your data in S3.
Enable Multi-Factor Authentication
This cybersecurity practice is one of the most powerful ways to minimize the harm of phishing attacks or the leakage of employees’ credentials. In this case, multi-factor authentication can be activated at the user log-in process or at access to specific buckets, and for certain actions like deleting buckets.
Encrypt Your Data
S3 has four encryption solutions, including client-side and server-side encryption. S3 encrypts your data when it writes the data to disks in AWS data centers and decrypts the data when you access it using server-side encryption. This practice assures that data is not accessible without the proper encryption keys and minimizes the harm of data leakages.
The client-side encryption method means that you encrypt the data before sending it to AWS and decrypt it after retrieving it from AWS. This means that AWS doesn’t have or manage your encryption keys.
Block Public Buckets Organization-Wide
The AWS Block Public Access feature adds a layer of security to your account along with individual buckets, even those you create in the future. Your company can restrict current public access and assure that newly produced buckets are not given public access.
Enforce Least Privilege Access
You should also block unwanted access to S3 by enforcing least privilege access and providing access to accounts only when particular tasks are required.
AWS offers a variety of tools for establishing least privilege access, such as IAM (identity and access management) user policies with permissions boundaries, bucket policies, ACLs (access control lists), and service control policies.
Enable Versioning
The S3 Versioning feature allows you to save and retrieve any version of any item stored in your buckets. S3 Versioning lets you maintain several versions of an object in the same bucket and can aid in the recovery of assets that have been accidentally deleted or overwritten. You may consider activating this feature for specific cases, such as S3 buckets that backup sensitive data.
Minimize the Risk of Data Breaches with ZenGRC
ZenGRC is an integrated governance, risk management, and compliance solution that allows enterprises to automate the self-auditing process. For example, as part of your AWS cloud compliance, your company may need to establish various compliance attestations. ZenGRC’s SaaS platform allows you to store and retrieve all of your compliance documents in one spot.
Many AWS users must adhere to rules and industry standards such as PCI DSS, SOC, ISO, FedRAMP, and HIPAA. ZenGRC can help you identify holes in your documentation and procedures and advise you on how to close them.
ZenGRC is a single source of truth that assures your organization is always compliant and audit-ready. Policies and procedures are revision-controlled and easy to find in the document repository. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards provide visibility to gaps and high-risk areas.
Schedule a demo today to see how ZenGRC will help you reduce the burden of cloud security and compliance.