How to Configure and Secure Amazon S3 Cloud Advocate
Risks of Amazon S3
There is no denying that Amazon S3 is exceptionally versatile and exponentially faster than other object-based storage options out there. However, it’s easy to take a wrong turn, and end up with colossal storage bills or security breaches.
Amazon S3 is not merely a personal or professional object-based storage solution. A large number of other AWS services use Amazon S3 to store backup or data snapshots. If you are running an Amazon EC2 instance with daily backup turned on, the incremental backups will be stored on Amazon S3, increasing your bills exponentially.
Amazon S3 buckets everywhere
As we have discussed earlier, accidental Amazon S3 bucket creation is common. A nontrivial number of services and applications can quickly spin up buckets without you knowing. For example, an Amazon EC2 instance creates an Amazon Machine Image (AMI) and stores it in Amazon S3. It’s easy to overlook what’s being done in your name, but this neglect hurts your organization by increasing costs.
Furthermore, buckets created by other services will not have your required set of permissions. If your organization does not have a dedicated AWS engineer to allocate the necessary permissions, you may give extra permissions, but this will make the bucket vulnerable to external threats. On the other hand fewer permissions can cause accessibility issues in applications.
Taming the Amazon S3 configuration rodeo
How can you avoid Amazon S3 configuration issues? There are some golden rules every administrator should follow. Most importantly, you should always practice the principle of least privilege to ensure your Amazon S3 bucket permissions are set correctly.
If you are attaching an Amazon S3 bucket to an Amazon EC2 instance or other compute services, you can assign a role that grants access to them. Another step is to ensure that only authorized users and applications can write into your Amazon S3 bucket. Unauthorized writers can let an attacker into your system or allow someone to use your bucket for free.
Furthermore, it’s best to ensure that only authorized users and apps can read your buckets. Failure to set proper read permissions can result in the accidental sharing of confidential information. For example, consider the recent 2020 U.S voter record data breach, which exposed approximately 198 million American voters’ personal data.
AWS CloudFormation to the rescue
CloudFormation can help avoid Amazon S3 configuration issues, by enabling you to configure and provision AWS resources based on templates written in JSON or YAML. This is helpful because it lets you create a template describing the Amazon S3 buckets you want to create and the roles and permissions they should include.
Where possible, use CloudFormation templates for all Amazon S3 bucket provisioning so you can guarantee that all buckets are created with correct access management settings. Moreover, you can use CloudFormation to set permissions on existing buckets to prevent any rogue, insecure Amazon S3 buckets from hiding in your vast AWS infrastructure.
Next steps
We’ve explored the various cloud storage options on AWS, diving deeper into some Amazon S3 configuration concerns and how we can address those concerns manually. AWS buckets are secure by default, but administrative errors can cause a data breach. Wouldn’t it be nice not to worry about these concerns?
Take your cloud storage security to the next level now with Trend Micro Cloud One™. One of the many benefits of our security services for cloud builders is that it provides assurance that your Amazon S3 storage buckets are configured to industry best practice and are free from malware. With 750+ cloud infrastructure configuration checks for AWS and Azure and automated protection to mitigate risks, your teams can build in the cloud with confidence.
Read More HERE