January 5, 2022
Security

3 Recommendations to Achieve Amazon S3 Security

Our quick tips for achieving Amazon S3 Security through tried-and-true best practices, cloud security solutions, and cloud security tools.

Image Credit: Youngryand

“Warning: Your sensitive data has been leaked!”

That is a warning nobody wants to receive. But it happens every day. The good news is that you don’t have to feel insecure about your security.

Sure, we’ve all seen those embarrassing stories about organizations who’ve had sensitive data leaked as a result of poorly configured Amazon S3 buckets. (Some CISOs have joked that Amazon should change S3’s Simple Safe Storage to S4 – Simple Safe Storage Sorta. Keep reading to learn how your AWS data can be simpler AND safer.)

While it’s true that Amazon has improved its default security controls to help the consumer be more mindful, there are still plenty of gaps for the unprepared human to fall through.

That's why you should implement additional measures to keep your data safe now! (Okay, well, right after you finish reading our blog post.)

Here are 3 recommendations you can share with your end users (or use yourself) to help secure Amazon S3 environments and avoid being one of those embarrassing stories:

  1. Place Strict Measures on Identity and Access Control
  2. Use a Trusted External Tool to Identify Threats
  3. High-Quality Encryption is Key

1) Place Strict Measures on Identity and Access Control

If your S3 bucket grants any permissions to members of the predefined AllUsers or AuthenticatedUsers groups, then it is considered a public-facing bucket. If that’s not what you want, it’s time to block people faster than you would a troll on Twitter.

You’ll need to turn on the “Block all public access” setting configuration. As requests come through to AWS, the system will automatically check to see if that “block access” setting has been selected. If so, it will reject that request. (Be careful to configure your groups so that you don’t accidentally block legit users, though.) You can see who has access by looking at the logs for your buckets.

In addition to blocking public access, creating an (IAM) Identity Access Management policy can limit who has access to your bucket and its objects from within your organization. IAM policies can grant access to S3 resources at both the bucket and object level to further granularize control.

Pro Tip: You want to limit access as much as possible. Does your entire department really need to view (or modify) privileged financial data? Or can one trusted person accomplish the same objective? (If you’re unsure how to configure a “least privileged” IAM access policy, check out this blog for some great tips.)

2) Use a Trusted External Tool to Identify Threats

After you’ve set up your environment and feel ready to rock and roll, it’s a good idea to double-check what you’ve done. Sure, you could ask your beleaguered coworker to take a look (eye roll emoji goes here), but they likely have 982347 other tasks to focus on and won’t necessarily give your S3 configuration the time and attention it needs. That’s just ONE way a third-party tool like Tenacity can save your butt. 

With a simple double-click, Tenacity makes double-checking your work done and done. In a single, quick glance, you can identify any vulnerabilities you may have missed. This is a super-affordable, huge value-add for MSPs who are looking to stay relevant in the growing wake of public cloud adoption.

3) High Quality Encryption Is Key

It may seem obvious, but encryption provides an extra layer of protection and is one of the easiest security measures to implement. AWS offers the ability to default to server-side encryption using KMS (Key Management Service). This will, by default, encrypt all objects stored in your bucket. If you don’t select this option, you’ll have to include encryption information with every object storage request (kind of a pain). Plus, there’s no additional cost to encrypt, so...why wouldn’t you?

Overall, the mindset about securing data in a public cloud like Amazon is improving, but there are a lot of people out there who simply assume their data is safe because it’s in the public cloud. Don’t be like them! (Must we remind you again of these embarrassing stories?) Follow the above tips to make your way towards a stronger cloud security posture.

Want more information on public cloud security? Check out some more of our recommend blog posts below or contact Tenacity today.

Latest articles

Browse all