In March of this year, Hobby Lobby, a national arts and crafts retailer, had 138GB of data, including payment card info and physical addresses, plucked out of an open Amazon S3 bucket. Events like this impact the entire organization – including developers, who are responsible for remediating misconfigurations.
This article explores how to avoid post-deployment headaches by increasing the security of your Amazon S3 buckets and the objects stored within during the early phases of development.
The Shared Responsibility Model
As with all cloud environments, you’re responsible for what you store in it. This is part of the shared responsibility model – meaning that the cloud service provider (CSP) is responsible for the overall security of the infrastructure that runs all of the services, including the hardware, software, networking and facilities that run AWS Cloud services. But, the user is responsible for securing any data or objects within that environment.
As an Amazon S3 user, it’s your responsibility to consider the following security requirements:
- Define the least privileged access to the bucket and continuously review those permissions across all the buckets
- Enable encryption
- Enable data recovery to help meet compliance requirements
- Enable protection of overwritten objects
- Define tags for better labeling, collecting and organizing resources available within your AWS environment
- Enable “Block Public Access” for buckets that should never be public
- Ensure Amazon S3 buckets are enforcing secure sockets layer (SSL) to secure data in transit
- Ensure the logging access is enabled to track access requests
- Validate that the information being stored is safe and does not contain malicious code hidden as malware or ransomware
'Shift left' for Greater Security
To 'shift left' refers to the way developers will move a function to an earlier phase of their processes to make identifying and fixing bugs and other errors easier and less time-consuming.
Essentially, this means moving your security scans, audits or thingamajigs to the front of your pipeline. The benefits of catching security issues at the onset are enormous: it helps save time and money and reduces risks to the business. By introducing security checks and validation at the first step in the infrastructure build process (IaC templates), you can reduce friction for the development and operations team.
"Misconfigurations are the number one risk to cloud environments"
You may be wondering what exactly you should be looking for or be keeping an eye on? Misconfigurations are the number one risk to cloud environments. Therefore, you should pay extra attention to monitoring for any possible errors.
To simplify the process, you can use cloud security posture management (CSPM) tools that can help monitor for misconfigurations in real-time across all your Amazon S3 buckets and other AWS services.
Ideally, the CSPM you choose will take a “shift-left” security approach by integrating into the infrastructure as code (IaC) with AWS CloudFormation templates. This helps you identify and detect misconfigurations in the earliest stage of development. A CSPM tool such as Trend Micro Cloud One™ can help you shift left to help secure Amazon S3 buckets.
To streamline the entire audit process, choose a CSPM that uses an integrated development environment (IDE)security plug-in. This will give developers real-time feedback in the IaC template, so they can scan and fix issues in their current IDE workspace as early as possible. That way, developers can prevent misconfigurations across different AWS services and build in accordance with the AWS Well-Architected Framework.
How Do Template Scanners Work?
Think of template scanning as body scanners at the airport—it’s similar in the way it provides enhanced visibility into any risks or threats that may not be caught with the human eye. Template scanning is especially necessary if you use open source code repositories to build (which 90% of developers do, according to Gartner).
Template scanners use powerful APIs within your CSPM tool to provide automated, real-time checks every time you push a new template and share results with developers and cloud architects, so they can investigate any potential issues before production.
Simplify Cloud Security
Trend Micro Cloud One™ – Conformity is a CSPM solution that seamlessly integrates into your CI/CD pipeline to detect misconfiguration in multiple CSPs. It’s designed to overcome any visibility or security risk challenges by running auto-checks against hundreds of cloud infrastructure configuration best practices and compliance standards, including PCI-DSS, HIPAA, HITRUST, NIST-800-53 and more. The solution also ensures fast remediation by providing instant alerts and remediation steps when critical misconfigurations are detected.
Trend Micro Cloud One™ – File Storage Security complements Conformity by making sure the files going inside the bucket are safe and helping you stay compliant by keeping your files and data within your AWS account during scanning. By automating the file scanning process, you’re eliminating the possibility of human interaction, which in return increases the level of security and compliance within your Amazon S3 buckets. Some other benefits of File Storage Security are:
- Improved file reputation: Block bad files using Trend Micro anti-malware signatures on all types of malware, including viruses, Trojan, spyware and more
- Variant protection: Look out for obfuscated or polymorphic variants of malware via fragments of previously seen malware and detection algorithms
- Extensive flexibility: Trusted scanning support for all file sizes and types, including .BIN, .EXE, .JPEG, .MP4, .PDF, .TXT, .ZIP and more
As the gatekeeper of what goes in and out of your buckets, you should implement real-time scans to inspect those buckets for malware and misconfigurations so they’re detected before they can impact business processes. Explore how the advanced capabilities of Trend Micro Cloud One™ – Conformity and Trend Micro Cloud One™ – File Storage Security can help you reduce disruptions and prevent criminal activity. Get started with a free 30-day Trend Micro Cloud One™ trial.
