The AWS bucket list: Keep your cloud secure

Default setting

Amazon’s S3 buckets are secure by default. However, in the S3 Block Public Access feature, which provides administrators with a centralised place to block public access, the default setting is “off”.

“The thing with AWS is that there is a ‘ban public access option’ that actually needs to be turned on,” says software developer and DevOps contractor Simon Potthast. “AWS is private, but you haven't specifically blocked public access to it.”

A lack of awareness in cloud configurations, especially due to the ever-expanding and evolving nature of cloud services, means that IT teams need to maintain an awareness of ongoing services in the cloud. Years ago, a project could be deployed and then left. However, this is no longer the case, as the cloud services are routinely patched and upgraded, creating changes that can potentially leave a once-secure project vulnerable.

To assist IT teams with maintaining their knowledge of AWS protocols and policies, there are a series of online repositories that provide essential information for configuring cloud solutions. As well as Amazon’s own reference documents, AWS Docs, there are the Open Web Application Security Project (OWASP)’s cheat sheets.

“Amazon have pages on security best practices for S3, as does OWASP,” says Potthast. “There are a ton of resources out there to help you to secure your application, but it's a case of putting in the time to read and apply them.”

Security guidance

For those who are unsure about certain points in cloud security, there is an AWS account team and support team available to provide security guidance for the deployment of cloud systems.

Due to the immense pressure that some IT teams are under, this aspect highlights the need for IT teams to have greater oversight in order to review the processes in place. This will ensure that their services are fully secure throughout the lifecycle of their projects. Just as documents need to be checked and approved, so too should IT projects be independently reviewed to ensure they are secure.

As part of this, administration rights should be modified to incorporate these elements, with organisations reviewing admin rights to incorporate greater oversight into their systems.

“Companies need to put more controls in the upper management level to ensure that people are doing the right thing,” says Colin Tankard, managing director of Digital Pathways. “It's almost a case of monitoring the monitors, but that's the only way you're going to get to know that things are being done and the people that are accessing the data are the right people.”

Organisations can encrypt their content for highly sensitive material. AWS, as well as third-party providers, offer tools that can be used to encrypt data. Should a leak or breach occur, any content that has been encrypted is rendered useless without the appropriate decryption keys.

From the system side of things, Amazon S3 includes native functionality to assist organisations with avoiding misconfigurations, such as a prominent indicator in the S3 console next to each publicly accessible bucket. There is also the S3 Block Public Access feature, which allows account administrators to centrally control access settings, to prevent variation in their security configurations.

For example, AWS Config allows customers to enable pre-packaged rules which help ensure that their AWS resources are in a properly configured and compliant state. Some of these rules are designed to automatically identify buckets that allow global read or write access, by checking all buckets in the account and flagging content that is publicly available.

With AWS CloudTrail, IT teams can log, monitor and retain account activity related to actions across AWS infrastructure, simplifying security analysis and troubleshooting. CloudTrail is enabled on all AWS accounts without any additional configuration.

Amazon Macie is a security service that uses machine learning to automatically discover, classify and protect sensitive data in AWS. This fully-managed service monitors data access activity for anomalies and generates detailed alerts of unauthorised access or inadvertent data leaks – such as sensitive data that a customer has accidentally made externally accessible.

AWS also has Amazon GuardDuty; a threat detection service that continuously monitors for malicious activity and unauthorised behaviour. In the cloud, the collection and aggregation of account and network activities is simplified, but it can be time-consuming for security teams to continuously analyse event log data for potential threats. With GuardDuty, organisations can have an intelligent and cost-effective option for continuous threat detection. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritise potential threats.

GuardDuty analyses tens of billions of events across multiple AWS data sources and can be enabled without any software or hardware to deploy or maintain. By integrating with AWS CloudWatch Events, GuardDuty alerts can be aggregated across multiple accounts and can be combined with existing event management and workflow systems.

“Organisations need to be aware and put things in place to either self-test or look at logs themselves, because you tend to not get alerted until it’s too late,” says Tankard.

Create and manage

Also, AWS Identity and Access Management (IAM) enables organisations to manage access to AWS services and resources securely. IAM allows organisations to create and manage AWS users and groups, as well as use permissions to allow and deny their access to AWS resources, as required.

AWS recently launched a new feature within IAM called Access Analyzer, which simplifies the process of checking all permissions, which have been granted from policies associated with S3 buckets, to ensure they only provide the intended access.

At their recent re:Invent conference, AWS announced Amazon Detective; a system to analyse, investigate and identify root causes of potential security issues or suspicious activities. This system automatically collects log data from an organisation’s AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables the client to conduct more efficient security investigations.

Finally, the AWS Security Hub offers organisations a comprehensive view of their high-priority security alerts and compliance status across AWS accounts. There are a range of security tools, from firewalls and endpoint protection to vulnerability and compliance scanners. This can leave IT teams switching back-and-forth between tools to deal with hundreds, and sometimes thousands, of security alerts every day. Security Hub allows users to have a single place that aggregates, organises, and prioritises security alerts, from multiple AWS services and AWS Partner solutions.

“Zero trust security models, where organisations verify everything before granting access, whether it comes from inside or outside the network perimeter, should be considered essential in this context,” says David Higgins, EMEA technical director of CyberArk. “Practicing defence-in-depth and incorporating privileged access management controls at the core of their strategy allows organisations to implement a trust framework that drives down the risk of similar data leakage in the future.”

Despite the growing frequency of data breaches and leaks from cloud services, AWS – and other cloud providers – are a secure platform for protecting data, provided they are properly configured and have the correct permissions in place.  This should be in conjunction with an ongoing review process to ensure that the correct protocols have been established and continue to be followed.

“As long as you set it up correctly, then AWS is a perfectly secure and valid way of doing things,” says Potthast.