AWS Beefs Up Security Features After S3 Misconfigurations

Amazon Web Services (AWS) has added a number of controls to help system administrators know when they are exposing their S3 buckets.

These controls include the addition of a visible warning to the AWS back-end dashboard panel that will provide an alert if a bucket is publicly accessible, and encryption of data by default.

It comes after a number of data leaks because of misconfigured S3 servers, such as the exposure earlier this month of tens of thousands of Australian government and banking staff, and the leak of the CVs of thousands of former US military personnel in September.

AWS Security

The increasing availability (and exposure) of online data has resulted in many firms tightening up their cloud security protocols.

Earlier this week Microsoft for example announced ‘Project Cerberus’ – a new industry standard for platform security that will be developed within the OCP (Open Compute Project) community.

But Amazon is hoping that its new security features will help admins ensure the integrity of their cloud data going forward.

“Starting from that initial model, with private buckets and ACLs to grant access, we have added support for bucket policies, server access logging, versioning, API logging, cross-region replication, and multiple client-side and server-side encryption options, all with the goal of giving you the tools you need to keep your data safe while allowing you to share it with customers and partners as needed,” blogged Jeff Barr, chief evangelist for AWS.

He then went on to explain the five new encryption and security features that have been added to S3.

First off is default encryption, so the admin can now mandate that all objects in a bucket must be stored in encrypted form without having to construct a bucket policy that rejects objects that are not encrypted.

Second is the addition of Permission Checks which means that the S3 Console now displays a prominent indicator next to each S3 bucket that is publicly accessible.

Third is cross-region replication ACL overwrite for when objects are replicated across AWS accounts. The admin can now specify that the object gets a new ACL that gives full access to the destination account.

Fourth is cross-region replication with KMS, so the admin can replicate objects that are encrypted with keys that are managed by AWS Key Management Service (KMS).

Available Now

And the fifth addition is a detailed inventory report which now includes the encryption status of each object. The report itself can also be encrypted.

All of these features are available now for no additional charges. That said, there will be the usual rates for calls to KMS, S3 storage, S3 requests, and inter-region data transfer.

In August Amazon unveiled a machine learning-based tool aimed at securing sensitive data held in the cloud, after a number of high-profile data leaks involving AWS customers.

How well do you know the cloud? Try our quiz!