Stopping those S3 Buckets from leaking!
At Cyber Security Specialists we do love AWS (other Cloud platforms are of course available), they are continuously adding new awesome features and services for us to consume, making it even easier to get digital services online at pace.
And yet, as these services grow in popularity it’s increasingly common to hear news stories reporting that yet another organisation has suffered a data breach, accidentally leaking sensitive data. We feel a bit sorry for AWS in this regard because S3 Buckets are actually locked down by default and it’s the AWS customer that can inadvertently set their Buckets to Public. Because of all the bad news stories around S3 data breaches we’ve had Clients question whether AWS is secure enough for them. Our response is that AWS is a powerful and highly secure cloud environment, but it must be configured and maintained properly!
So, take the few simple steps below to secure S3:
- Ensure your S3 Buckets are set to private, check your IAM policies and don’t set them to Public Read/Write!
- Ensure your Buckets are encrypted by applying Default encryption policies.
- If you are accessing your Bucket from a VPC, use a VPC endpoint to ensure the Bucket only accepts connections originating from your VPC.
- Enable Server Access logging to provide a full audit trail of S3 Bucket activity.
Now how do you ensure that these Buckets remain secure and don’t end up being inadvertently made Public? Easy, AWS have a number of services such as AWS Config, Macie and Trusted Advisor that all have automated checks to scan for any S3 Bucket changes to try and overcome this problem.
In this Blog we’re going to focus on AWS Config – and the reasons we love it is because not only can AWS Config alert IT and Security Operations teams when a misconfiguration occurs (via email, SMS or Slack notification), it can also proactively react and correct the misconfiguration for you with a Lambda function!
AWS Config enables continuous monitoring of your AWS resources, making it simple to assess, audit, and record resource configurations and changes. There are a few dozen ‘AWS Managed Rules’ (or templates) within AWS Config which includes s3-bucket-public-read-prohibited & s3-bucket-public-write-prohibited which when enabled will continuously monitor your private S3 Buckets for changes.
An overview of the architecture is below:
The steps to achieve this configuration are detailed below:
- Enable AWS Config to monitor Amazon S3 Bucket ACLs and policies for compliance violations.
- Create an IAM Role and Policy that grants a Lambda function permissions to read S3 Bucket policies and send alerts through SNS.
- Create and configure a CloudWatch Events rule that triggers the Lambda function when AWS Config detects an S3 Bucket ACL or policy violation.
- Create a Lambda function that uses the IAM role to review S3 Bucket ACLs and policies, correct the ACLs, and notify your team of out-of-compliance policies.
Taking this approach can drastically reduce your risk of exposing sensitive personal information via an S3 Bucket. If you want more detailed information on how to configure the components above read the excellent AWS Blog which provides step by step instructions. What are you waiting for – secure your S3 Buckets now!