the_lightwriter -

The AWS bucket list: Keep your cloud secure

Misconfigured cloud installations risk billions of records being exposed, damaging organisations’ finances and reputations. Paying attention to securing AWS storage buckets is a simple matter

Back in February, cloud security specialists DivvyCloud released their 2020 cloud misconfigurations report, which highlighted that misconfigured cloud installations had cost organisations $5tn (approximately £4tn) over the past two years.

During that time, over 33 billion records were exposed; an increase of 80% from previous years. These included the Adobe breach in October 2019, as well as the breach at B&Q in January 2019.

The report also revealed that older businesses are more likely to have misconfigured cloud installations, as nearly 70% of the breaches related to organisations over 10 years old. Organisations that had been established less than five years ago only accounted for just under 7% of breaches.

It could be argued that the smaller companies may not be as great a target for malicious actors.  However, it is perhaps more relevant that those using cloud services from the start, rather than undergoing the complex task of migrating their data from an on-premise infrastructure, seem better able to secure their cloud structure.

Misconfigured cloud installations are not limited to a single sector but are endemic across every industry. With greater proportions of our society being digitised, there are increasing demands on already over-stretched IT teams, some of whom have not had the necessary investment.

This growing workload means that IT teams are frequently over-worked and can have competing demands placed upon them. Such workloads can only continue for so long before mistakes occur, due to stress and fatigue.

Of the event reports, one of the more frequently compromised services was Amazon Web Services (AWS) Simple Storage System (S3) buckets. This accounted for a sixth of the total recorded data exposure.

Default setting

Amazon’s S3 buckets are secure by default. However, in the S3 Block Public Access feature, which provides administrators with a centralised place to block public access, the default setting is “off”.

“The thing with AWS is that there is a ‘ban public access option’ that actually needs to be turned on,” says software developer and DevOps contractor Simon Potthast. “AWS is private, but you haven't specifically blocked public access to it.”

A lack of awareness in cloud configurations, especially due to the ever-expanding and evolving nature of cloud services, means that IT teams need to maintain an awareness of ongoing services in the cloud. Years ago, a project could be deployed and then left. However, this is no longer the case, as the cloud services are routinely patched and upgraded, creating changes that can potentially leave a once-secure project vulnerable.

To assist IT teams with maintaining their knowledge of AWS protocols and policies, there are a series of online repositories that provide essential information for configuring cloud solutions. As well as Amazon’s own reference documents, AWS Docs, there are the Open Web Application Security Project (OWASP)’s cheat sheets.

“Amazon have pages on security best practices for S3, as does OWASP,” says Potthast. “There are a ton of resources out there to help you to secure your application, but it's a case of putting in the time to read and apply them.”

Security guidance

For those who are unsure about certain points in cloud security, there is an AWS account team and support team available to provide security guidance for the deployment of cloud systems.

Due to the immense pressure that some IT teams are under, this aspect highlights the need for IT teams to have greater oversight in order to review the processes in place. This will ensure that their services are fully secure throughout the lifecycle of their projects. Just as documents need to be checked and approved, so too should IT projects be independently reviewed to ensure they are secure.

As part of this, administration rights should be modified to incorporate these elements, with organisations reviewing admin rights to incorporate greater oversight into their systems.

“Companies need to put more controls in the upper management level to ensure that people are doing the right thing,” says Colin Tankard, managing director of Digital Pathways. “It's almost a case of monitoring the monitors, but that's the only way you're going to get to know that things are being done and the people that are accessing the data are the right people.”

Organisations can encrypt their content for highly sensitive material. AWS, as well as third-party providers, offer tools that can be used to encrypt data. Should a leak or breach occur, any content that has been encrypted is rendered useless without the appropriate decryption keys.

From the system side of things, Amazon S3 includes native functionality to assist organisations with avoiding misconfigurations, such as a prominent indicator in the S3 console next to each publicly accessible bucket. There is also the S3 Block Public Access feature, which allows account administrators to centrally control access settings, to prevent variation in their security configurations.

For example, AWS Config allows customers to enable pre-packaged rules which help ensure that their AWS resources are in a properly configured and compliant state. Some of these rules are designed to automatically identify buckets that allow global read or write access, by checking all buckets in the account and flagging content that is publicly available.

Read more about AWS security

With AWS CloudTrail, IT teams can log, monitor and retain account activity related to actions across AWS infrastructure, simplifying security analysis and troubleshooting. CloudTrail is enabled on all AWS accounts without any additional configuration.

Amazon Macie is a security service that uses machine learning to automatically discover, classify and protect sensitive data in AWS. This fully-managed service monitors data access activity for anomalies and generates detailed alerts of unauthorised access or inadvertent data leaks – such as sensitive data that a customer has accidentally made externally accessible.

AWS also has Amazon GuardDuty; a threat detection service that continuously monitors for malicious activity and unauthorised behaviour. In the cloud, the collection and aggregation of account and network activities is simplified, but it can be time-consuming for security teams to continuously analyse event log data for potential threats. With GuardDuty, organisations can have an intelligent and cost-effective option for continuous threat detection. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritise potential threats.

GuardDuty analyses tens of billions of events across multiple AWS data sources and can be enabled without any software or hardware to deploy or maintain. By integrating with AWS CloudWatch Events, GuardDuty alerts can be aggregated across multiple accounts and can be combined with existing event management and workflow systems.

“Organisations need to be aware and put things in place to either self-test or look at logs themselves, because you tend to not get alerted until it’s too late,” says Tankard.

Create and manage

Also, AWS Identity and Access Management (IAM) enables organisations to manage access to AWS services and resources securely. IAM allows organisations to create and manage AWS users and groups, as well as use permissions to allow and deny their access to AWS resources, as required.

AWS recently launched a new feature within IAM called Access Analyzer, which simplifies the process of checking all permissions, which have been granted from policies associated with S3 buckets, to ensure they only provide the intended access.

At their recent re:Invent conference, AWS announced Amazon Detective; a system to analyse, investigate and identify root causes of potential security issues or suspicious activities. This system automatically collects log data from an organisation’s AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables the client to conduct more efficient security investigations.

Finally, the AWS Security Hub offers organisations a comprehensive view of their high-priority security alerts and compliance status across AWS accounts. There are a range of security tools, from firewalls and endpoint protection to vulnerability and compliance scanners. This can leave IT teams switching back-and-forth between tools to deal with hundreds, and sometimes thousands, of security alerts every day. Security Hub allows users to have a single place that aggregates, organises, and prioritises security alerts, from multiple AWS services and AWS Partner solutions.

“Zero trust security models, where organisations verify everything before granting access, whether it comes from inside or outside the network perimeter, should be considered essential in this context,” says David Higgins, EMEA technical director of CyberArk. “Practicing defence-in-depth and incorporating privileged access management controls at the core of their strategy allows organisations to implement a trust framework that drives down the risk of similar data leakage in the future.”

Despite the growing frequency of data breaches and leaks from cloud services, AWS – and other cloud providers – are a secure platform for protecting data, provided they are properly configured and have the correct permissions in place.  This should be in conjunction with an ongoing review process to ensure that the correct protocols have been established and continue to be followed.

“As long as you set it up correctly, then AWS is a perfectly secure and valid way of doing things,” says Potthast.

Read more on Cloud security

Data Center
Data Management