5 Ways to Secure Amazon S3 Buckets

Companies continue to migrate to cloud-hosted infrastructure, applications, microservices and backend services worldwide. Of course, cloud storage is a big part of the migration equation due to its many advantages, including scalability, high availability, geographic distribution and potential cost savings.

While cloud providers maintain highly secure cloud environments such as Amazon Simple Storage Service (Amazon S3), the cloud represents a new potential for security incidents. These could be anything from a social engineering attack to a simple mistake that leaves data open and discoverable to anyone who notices. Let’s take a look at five critical areas that newcomers, in particular, should pay attention to when migrating to the cloud.

1) Configure for Maximum Security

Amazon S3 buckets have fine-grain permissions, and most users and applications accessing them need only a small subset to accomplish their tasks. But locking down these permissions can be complicated. So, when securing cloud resources, it’s important to focus on setting up and monitoring a configuration.

The available AWS Config service compares your configurations to your desired state and sends out notifications if something drifts out of compliance. Amazon Macie is also a great AWS tool that extends configuration monitoring by using machine learning to continuously monitor your Amazon S3 storage accounts' patterns of access.

2) Protect Data Everywhere It Goes

You’ll want to ensure that your Amazon S3 buckets are encrypted both on the server and during transport. If you only have one bucket, this might not be complicated, but if buckets are being created dynamically, monitoring and controlling encryption might not be taking place the way you think it is.

On the server-side, Amazon S3 buckets support encryption, but it must be turned on. Encrypting the bucket will ensure that anyone getting their hands on the data will need a key (password) to decrypt it. During transport, the HTTPS protocol ensures data is encrypted end to end.

3) Enforce Access Control

AWS security is based on AWS Identity and Access Management (IAM) policies. IAM provides the infrastructure necessary to control authentication and authorization for your account using role-based access.

You’ll need to ensure that any roles you define have only the minimum access necessary to ensure the job can get done, limiting potential damage should a user’s account be breached. In the cloud, it’s called least privileged access and refers to authorization policies that give authenticated principals only the access they need to perform a specific task. For example, people in a sales role may have access to sales reports but not accounting statements.

4) Use Multiple Layers of Security

When security fails through misconfiguration, human error or a sophisticated attack, additional protection layers may be the difference between safety and a breach.

One potent but straightforward tool you can use is multi-factor authentication (MFA). MFA requires a something you know (like a password) and something you have— a physical device such as a Yubico security key or a dynamically generated one-time authentication code.

AWS also supports MFA Delete for Amazon S3 buckets. MFA Delete requires two-factor authentication to change the versioning state of your bucket or permanently delete the bucket.

5) Automate Logging and Auditing

Any security breach puts your business and your reputation at risk. AWS has built-in tools that provide visibility into real-time and historical access and activities to help you spot suspicious activity or provide a record you can use to track access and identify affected resources.

Amazon CloudWatch is an optional monitoring service for DevOps and IT managers that provides a unified view of operations covering AWS and on-premises servers, enabling you to detect problems, visualize logs and automate actions to remediate issues or notify people.

The AWS CloudTrail service continuously audits your AWS usage, providing stronger governance, compliance and risk assessment. In addition, AWS CloudTrail provides a history of any actions taken in the AWS Management Console, SDKs, command line and other services.

Go Beyond the Basics

The AWS Well-Architected Framework helps ensure the applications you build in the cloud perform as expected.  Augmenting AWS tools with third-party security offerings can provide the best possible protection for your data. AWS Security Competency Partners like Trend Micro give you capabilities beyond those provided by AWS.

Trend Micro Trend Micro Cloud One™ is a security services platform for cloud builders worth considering, as it delivers the broadest and deepest cloud security offering in one solution, enabling you to secure your cloud infrastructure with clarity and simplicity. Sign up for a 30-day free trial to try it out

Brought to You by

What’s Hot on Infosecurity Magazine?