3 Best Practices for AWS S3 Security

Amazon Web Services (AWS) is the undisputed leader in the cloud services market. Large and small organizations alike flock to AWS because of its flexibility, full array of options and upgrades, and pay-as-you-go-for-what-you-use price structure. However, numerous data breaches have been traced back to misconfigured Amazon Simple Storage Service (S3) buckets, including high-profile breaches of third-party vendors handling sensitive information on behalf of Verizon and the Republican National Committee. This has some AWS customers questioning their AWS security, particularly in light of the fact that Amazon itself sent an email to customers with publicly accessible S3 buckets, warning them to review their security settings.

Several high-profile breaches involving misconfigured Amazon Web Services servers have made the news.

The good news is that AWS is very secure — if configured properly. Breaches are completely preventable by following simple, proactive cloud security best practices grounded in sound governance, risk, and compliance. Here are three proactive steps you can take to enhance your AWS S3 security; these apply to competing cloud services as well.

Create consistent cloud security controls and procedures, and put them in writing

All of the recent S3 breaches have involved S3 buckets that contained sensitive data and that had been set to public. By default, S3 buckets are set to private, meaning that only the account owner can access their contents. Buckets are not set to be publicly viewable by accident; someone with the privileges to do so must go into the system and take specific steps to override the default setting. This begs two questions: Why was this sensitive data sent to the cloud in the first place? Why did someone override the default and make them public?

A set of written cloud security controls and procedures clearly defines which types of data are to be stored in the cloud, how long they are to be kept there, and where they belong in the cloud storage hierarchy. Not only should sensitive information never be placed in a public S3 bucket, but also, access to buckets containing sensitive information should be highly restricted. This leads to the next best AWS S3 security best practice.

Perform regular reviews of your accounts, groups, users, and roles

In addition to allowing S3 buckets to be set to public or private, AWS allows administrators to give users varying levels of access to buckets and their contents, including list, upload, delete, view, and edit functions. Your organization’s AWS server should be treated just like the rest of your network: Users should be given the minimum amount of access they need to perform their jobs and no more. When employees leave the company or transfer into other positions, their access should be immediately revoked or altered as appropriate, and everyone’s permissions should be regularly reviewed to ensure they have the appropriate level of access and that there is no unnecessary overlap between user groups.

Perform regular risk assessments

Just like the rest of your cyber security protocols, your cloud security procedures should be regularly reviewed and updated as the threat environment and your organization’s needs change. Then, all of the buckets, files, and users on your AWS servers should be examined to ensure they meet the new protocols.

Despite the popularity of cloud computing, cloud security often takes a backseat to other aspects of enterprise security because organizations think that their cloud provider “handles all of that.” In reality, your cloud provider’s responsibility is limited because, in the end, it is your data. They have no control over what types of data you store in the cloud, who you allow to access it, whether you encrypt it and how, or whether you are complying with any applicable industry and regulatory standards, such as PCI DSS and HIPPA. If your S3 bucket is breached because you made a mistake, Amazon won’t be responsible for the fallout; your organization will.

Originally published at continuumgrc.com on August 30, 2017.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.