Private Data on Public Clouds

Low Hanging Cloud Leaks Reign Over Data Privacy Fears

Wrestling fans. Voters in Chicago. Military veterans. Over the past four months, members of these groups have all had their personal information exposed. Characterized as “cloud leaks”, this post will look to better understand what can be done to secure private data on public clouds.

“53% of organizations using cloud storage services such as Amazon Simple Storage Service (Amazon S3) had inadvertently exposed one or more such services to the public.”
— RedLock Cloud Infrastructure Security Trends (October 2017 Edition)

Amazon’s Simple Storage Service (S3) has trivialized data storage in the cloud. Consequently, this has led to trivial data handling, which has put the reputations of enterprises and their customers’ sensitive data in jeopardy!

S3 is an object storage service that greatly simplifies the storage of data and its corresponding metadata into “buckets”. Over the past four months, it has become commonplace to read about the exploits of those who exposed their private buckets to the public.

Logical and Physical Representation of a Bucket Leak :)

By default, all Amazon S3 resources are private as only the AWS account that created the resource can access them; however, this hasn’t prevented the following twelve incidents from occurring over the past four months:

How can we ensure that our S3 buckets don’t spill out onto the headlines?

1. Understand the AWS Shared Responsibility Model.

AWS Shared Responsibility Model

Under the AWS Shared Responsibility Model, AWS is responsible for protecting the infrastructure offered by the AWS Cloud. Infrastructure as a Service (IaaS) offerings, like S3, require you to perform all of the necessary security configuration and management tasks. When you read a headline that talks about an S3 leak, understand that the culprit responsible for the event is the AWS Customer — and not the AWS Cloud.

2. For sensitive data, configure your buckets to be PRIVATE. Period.

3. Follow the Principle of Least Privilege

Grant only those privileges which are essential for users to complete their work. While many users may require Create/Read/Update/Delete (CRUD) access to buckets, very few need access to manipulate bucket policies.

4. Encrypt your data in motion.

“ 51% of the network traffic in public cloud infrastructure environments is still occurring on port 80, the default web port that receives clear (unencrypted) traffic.”
— RedLock Cloud Infrastructure Security Trends (May 2017 Edition)

Use HTTPS everywhere.

5. Encrypt your data at rest.

7% of all S3 buckets have unrestricted access, and 35% are unencrypted.
— Skyhigh Networks

Not only is it important to encrypt data in transit, it’s also important to encrypt data when data is not moving.

Data comes in all shapes and sizes. Every sensitive piece of data should be encrypted. This refers to documents and images, but also historical backup files. Too often, backup files are omitted as they are not in active use; however, when compromised, unencrypted backup files can result in the loss of intellectual property.

6. Leverage the power of machine learning to discover, classify, and protect sensitive data.

While attending this year’s AWS Summit New York, I was introduced to Amazon Macie. Macie represents the intersection of machine learning and data security. Below is an abbreviated list of the capabilities afforded to us by Macie related to data discovery, classification, and S3 data security:

  • New data in your AWS environment is continuously monitored
  • Artificial Intelligence (AI) is used to derive patterns based on historical data
  • Natural Language Processing (NLP) is used to understand human language in data
  • Identification of Protected Health Information (PHI), Personally Identifiable Information (PII), regulatory documents, and security keys
  • Detection and notification of large business-critical documents being shared

7. Automate the creation of S3 Buckets.

Manual configuration of S3 buckets was at the heart of most cloud leaks mentioned above. To mitigate this risk, use CloudFormation to create and manage S3 buckets in an orderly and predictable manner.

8. Enable and Monitor your Logs.

Enabling logging for your S3 buckets, via CloudTrail or S3 Server Access Logging, can yield valuable tracking data to determine what actions are being performed against your S3 buckets. It is your responsibility to monitor the output of these logs.

9. Run AWS Trusted Advisor.

If you have an AWS Business or Enterprise support plan, you can use Trusted Advisor — an online resource created by AWS. With Trusted Advisor, you can check permissions on all of your buckets and receive immediate notification of those with open access permissions.

10. Use an open source tool.

Kromtech’s S3 Inspector is available free of charge on GitHub, https://github.com/kromtech/s3-inspector, and can be used to check all of your buckets for public access and report back with security threat findings.

11. Use more than one AWS account.

One pattern to enforce segregation of duties is the AWS Bastion account. For instance, Coinbase has applied this pattern and defines it as follows…

“A bastion account stores only IAM resources providing a central, isolated account. Users in the bastion account can access the resources in other accounts by assuming IAM roles into those accounts. These roles are setup to trust the bastion account to manage who is allowed to assume them and under what conditions they can be assumed, e.g. using temporary credentials with MFA.”
https://engineering.coinbase.com/you-need-more-than-one-aws-account-aws-bastions-and-assume-role-23946c6dfde3
Source: https://cloudonaut.io/your-single-aws-account-is-a-serious-risk/

12. Follow Best Practices

When in doubt, follow well understood best practices, such as:

Conclusion

These dozen measures will prevent data leaks from springing. Thereby, protecting your sensitive data from falling into the wrong hands.

Cloud storage protection can be accomplished with little effort and have maximum impact. Once you have closed this vulnerability, you can focus on safeguarding against modern security threats:

UK National Health Service Ransomware Screen

Irresponsible cloud configurations cause most S3 “cloud leaks”. As evidenced in this post, proactive, preventive, and prescriptive actions can elevate your focus from low hanging fruit to highly complex security threats.

Update: Two days after this post went live, AWS announced five new S3 encryption & security features:

  • Default Encryption
  • Permission Checks
  • Cross-Region Replication ACL Overwrite
  • Cross-Region Replication with KMS
  • Detailed Inventory Report

Check out Jeff Barr’s post for the details — https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/