What is S3, and how does it work?
AWS S3 is an object storage service in the Amazon cloud. S3 allows users and applications to store and retrieve virtually any type of data that can be stored in digital form.
S3 data is stored in buckets. These are software containers into which data can be dumped and retrieved on demand. The amount of data you can store in S3 is essentially unlimited, and S3 costs just pennies per gigabyte. For both of these reasons, S3 has become the most popular cloud storage solution.
Top S3 security risks
While S3 is a powerful way to store data affordably and at scale, it can also be risky. The main S3 risks include:
Configuration mistakes or oversights that allow malicious users to access sensitive data from inside S3 buckets
Lack of visibility into which data is being stored inside S3 buckets and whether the protections in place for that data are sufficient
Configuration problems that allow malicious actors to upload malware into S3 buckets, potentially creating a beachhead that they can use to launch further attacks
Best practices for S3 security
Considering that 82 percent of companies mistakenly expose their data to third-party access, S3 security must be a priority. To mitigate the security risks that may imperil data stored in S3 buckets, businesses should adhere to the following best practices.
Continuously audit S3 configurations
Each S3 bucket is configured with permissions that determine who can view or modify data inside it. Mistakes when configuring these permissions are the main way that S3 data can be compromised. To protect against this risk, businesses should deploy tools that continuously monitor their S3 permissions and generate alerts when the configurations violate security policies.
Enforce and validate S3 encryption
S3 does not encrypt data by default, leaving you to configure S3 buckets to encrypt data automatically. You should require encryption unless there is a specific reason why your data should remain unencrypted, such as deliberately sharing data with the public. Regardless, you should regularly monitor your S3 configurations to ensure that encryption is turned on.
Understand shared responsibility
Under its shared responsibility model, Amazon protects data inside S3 buckets from threats like physical security risks or malware running on S3 host servers. However, Amazon doesn’t protect S3 users from making their own configuration mistakes that could place their S3 data at risk. You must understand how shared responsibility works for S3, and avoid assuming that Amazon secures S3 buckets for you.
Detect sensitive data
You need to know if sensitive information is uploaded to an insecure S3 bucket. The best way to detect this type of risk is to scan data inside S3 buckets automatically, then classify whether it is likely to be sensitive. Tools like AWS Macie can help to discover sensitive data inside S3 buckets, or you could opt to write your own scripts to crawl S3 buckets and determine which types of files are stored in them.
Develop S3 governance
Rather than allowing anyone in your business to create and use S3 buckets without centralized governance rules, you should develop plans that define S3 usage. Your plan should define who can create buckets and when to create a new one instead of adding data to an existing bucket. You should also manage the different types of data your business stores in the cloud, and which should never be uploaded to S3. Having an S3 governance plan and the security automation tools to make sure it is being followed will help mitigate the risk of S3 misuse.
Leverage S3, without the risk
S3 is a valuable service for any business that needs to store data in the cloud. With the right tools and processes in place, it’s possible to leverage S3 to store data affordably and scalably without allowing S3 buckets to undermine your organization’s data security needs.