What are Amazon S3 Buckets?
Amazon S3 (Simple Storage Service) buckets are a type of cloud storage service provided by Amazon Web Services (AWS). They provide scalable and reliable storage for objects such as documents, images, and videos.
S3 buckets can store an unlimited amount of objects and are accessible from anywhere with an internet connection. They are popular for use in backup and recovery, media storage and distribution, web hosting, and big data analytics.
S3 buckets also offer various security features, including data encryption and access control, to help keep your data secure. That’s great, so…
Why are Amazon S3 Buckets a Security Threat?
In recent years, there has been a significant migration of data to cloud platforms such as Amazon Web Services (AWS), and in most cases, the data stored on these platforms is relatively secure.
However, the improper configuration of S3 buckets have led to numerous data breaches. This is due to an issue that exists throughout the Amazon S3 ecosystem, as reported by security firm Skyhigh Networks.
According to their statistics, 7% of all S3 buckets have unrestricted public access, and 35% are unencrypted. The problem is that many users are unaware that their buckets are open to the public internet, and there are tools available on GitHub that enable hackers to find them.
One example of a data breach resulting from a misconfigured Amazon S3 bucket is the case of Alteryx, a data analytics company based in California, which affected 123 million Americans. Additionally, at least four airports in Colombia and Peru were affected by a data breach where 3TB of airport data, consisting of over 1.5 million files, was publicly accessible due to a misconfigured bucket. Other notable instances of S3-related data breaches include those of Cosmolog Kozmetik, WizCase, Comparitech, and Reindeer.
Why are Amazon S3 Buckets a Security Threat?
Here are some best practices to follow to protect sensitive data in Amazon S3 Buckets:
Enable S3 Block Public Access
This feature will block public access to buckets. It can be enabled for specific accounts, or specific buckets, including ones created in the future. Do not make your S3 bucket objects public unless absolutely necessary!
Encrypt your S3 data
AWS S3 provides a server-side encryption tool to encrypt data at rest. There are three encryption options available: SSE-S3, SSE-KMS, and SSE-C. SSE-S3 and SSE-KMS are managed by AWS, while SSE-C requires you to manage the encryption keys. You can also encrypt data before you upload it to AWS, however, client-side encryption is not a service provided by AWS, and is thus the sole responsibility of the end user.
Enable Access Control
Use AWS Identity and Access Management (IAM) roles and policies to control user access to S3 buckets and objects. Assign only minimum privileges required for the user to perform their tasks.
Regularly Monitor your S3 Buckets
Enable S3 access logging to track all requests made to the S3 buckets and objects, and implement a monitoring solution to trigger alerts if anyone accesses sensitive data. While Amazon Macie will give you visibility into what/how data is accessed in your S3 bucket, a dedicated real-time threat detection solution with Amazon S3 auditing will give you a comprehensive overview of all data access events and configuration changes across your whole environment.
Use Bucket Policies
Bucket policies can provide an extra layer of security by specifying who can access specific buckets or objects. You must ensure that any identity-based policies don’t use wildcard actions.
Implement MFA Delete
MFA Delete is a feature provided by AWS that requires multi-factor authentication to delete objects or change the versioning state of your S3 bucket.
Use Object Versioning
S3 versioning can protect against accidental deletion or overwrite of objects. Enabling versioning can also help to restore previous versions of objects if they are accidentally deleted or modified. In addition to versioning, you can use S3 Object Lock to prevent an object from being deleted or overwritten for a fixed time or indefinitely.
Discover and Classify your Sensitive Data
You can use Amazon Macie to discover and classify your sensitive data. Alternatively, you can use data classification software that can scan all of your file repositories, whether on-premise or cloud-based, and classify data as it is found. Some solutions can classify data at the point of creation/modification, and some provide pre-defined taxonomies that cater to most data privacy laws, such as GDPR, HIPAA, PCI-DSS, and more. It’s also a good idea to identify and remove any data that is duplicated or no longer relevant.
How Lepide Helps Secure Data in Amazon S3 Buckets
Lepide, a data security platform, offers monitoring of sensitive unstructured data interactions in AWS S3 Buckets, as well as reporting on Open Buckets in AWS S3. Open buckets are a significant risk for any organization that stores sensitive data in AWS S3, and identifying such buckets that are open to “EVERYONE” is crucial.
To address this issue, Lepide Data Security Platform provides an open bucket scanner, which scans AWS S3 storage to identify vulnerable and high-risk buckets. Once identified, you will receive a conclusive list of the buckets that require security, allowing you to prioritize your efforts accordingly.
Gain insight into user activity and interactions with shared data in buckets with the ability to track changes in file additions and removals. In addition to this, you can monitor who is accessing the data and how often they are doing so, which can aid in identifying any unauthorized access or privilege abuse.
In order to avoid privilege abuse, it’s crucial to establish a rigorous security framework for access management to storage buckets. By utilizing Lepide Amazon S3 Auditor, you can monitor Access Control Lists to detect any unauthorized changes to the data permissions. This helps to ensure that access is only granted to those who require it and can prevent privilege sprawl across unstructured data.
If you’d like to see how the Lepide Data Security Platform can help you better protect the data stored in your S3 buckets, schedule a demo with one of our engineers.