Five tips for better AWS S3 bucket security

Barely a day goes by without news of yet another breach of an AWS S3 bucket. But these breaches are preventable.

Misconfigured Amazon Simple Storage Service (S3) buckets have led to an epidemic of breaches, any of them involving major companies or their business associates, including Verizon, a data analytics firm hired by the Republican National Committee, FedEx, even a national defense contractor. The problem is so pervasive that last summer, Amazon itself sent out emails to customers with publicly accessible S3 buckets, warning them to check their security settings.

AWS is a powerful and highly secure cloud environment, but it must be configured and maintained properly. Here are five tips for keeping your AWS environment safe from hackers – and your company out of the news.

Know what it is you’re doing

The default privacy setting for AWS S3 buckets is owner-only. Most AWS breaches involve organisations choosing the “all authorized users” setting when expanding access to their buckets, not realising that this setting includes all authorized users of Amazon Web Services, not just their account. This means that anyone with an AWS account can access that bucket with whatever permissions are granted to that level of access; it’s a free-for-all.

Understand what level of access you’re granting to your data and who you are granting it to. A good rule of thumb is, if you’re not sure, don’t do it! Get help before you end up exposing your data to the world.

Know what data you have

Data governance is one of the pillars of cloud security. You cannot secure your data if you don’t know what you have. Is your data important? Is it unique? Does it have value?

Keep Mitnick’s law in mind and don’t waste money on worthless data; you shouldn’t spend more money protecting your data than the data is worth. At the same time, you shouldn’t skimp on security when dealing with sensitive data that’s worth enormous amounts of money. If a $500 tool can stop a multi-million-dollar breach, it’s well worth the investment.

Many organisations fall prey to the “camel’s nose under the tent” problem. They find that cloud computing is easy, so easy that they start migrating all manner of data into the cloud without evaluating it and considering whether it belongs there. Eventually, really sensitive data ends up being stored in the cloud. Even worse, the IT people may not know this data exists, and it becomes a shadow IT problem. Always identify your data and run an assessment before putting into the cloud. If you only have 2 levels of classification, Private or Public, treat everything as Private until you are sure its public. Assume it’s private until proven otherwise.

Take advantage of the tools that are available to secure your AWS environment

Many tools are available that are specifically designed to help you secure your environment. However, these tools are only as good as the people who run them; they work only if organisations actually use them and read the reports they generate. These reports tend to be voluminous, which means they often end up unread. However, they contain nuggets of critical information about the security of your cloud environment.

Beware of the complexity of AWS

The ease of using AWS or other cloud environments can make it easy to forget just how complex the cloud is. Most clouds offer thousands of different options. This complexity is why the cloud is so flexible, but it also decreases visibility. Properly configuring and managing a cloud environment is like assembling a puzzle where all of the pieces are black; when everything looks the same, it’s difficult to find the right knob to turn.

In a general IT environment, there is a management console for every area and tool. Routers, switches, firewalls, servers, and data storage all have their own, different tools, and each tool has its own management console. Once you add a cloud environment, you add another management console. There are already hundreds of ways to screw things up in an on-premises data environment. The cloud adds yet another layer of complexity, and organisations must understand how it will impact their overall cyber security.

Don’t be afraid to seek help

When configured and managed properly, AWS is highly secure, but cloud security is quite different than on-premises security. In many cases, AWS breaches happen because organisations have non-IT personnel, or IT personnel who do not fully understand the cloud, configuring their AWS buckets.

Most organisations do not have the in-house resources to properly configure and maintain a secure AWS environment. Don’t be afraid to seek the help of a professional managed security services provider (MSSP) with experience in both cloud and on-premises data security. A reputable MSSP can help you every step of the way, from evaluating and assessing your data to keeping your cloud secure moving forward.

Even if you’ve already been running an AWS environment for some time, in light of the epidemic of AWS breaches, hiring an MSSP to perform a cloud assessment is a wise move. If you do have security issues, wouldn’t you rather find out about them during an assessment instead of after your data is put up for sale on the Dark Net? Seeking professional help could make the difference between your organisation having a secure AWS environment and it being the next “major AWS breach” headline.