Amazon yesterday announced the implementation of five new security features to its S3 web servers. Considering at least 185,000 sites run on Amazon Web Services (AWS) S3, this is a much needed update.
The primary problem addressed by the new features is lazy administrators. Over 53-percent of cloud service administrators have unintentionally exposed their company’s data to the internet.
It’s scary to think the odds of your data on sites like Healthcare.gov being potentially unprotected are better than your chances of accurately guessing the results of a coin-flip.
In a company blog post AWS evangelist Jeff Barr laid out the five new features:
- Default Encryption – You can now mandate that all objects in a bucket must be stored in encrypted form without having to construct a bucket policy that rejects objects that are not encrypted.
- Permission Checks – The S3 Console now displays a prominent indicator next to each S3 bucket that is publicly accessible.
- Cross-Region Replication ACL Overwrite – When you replicate objects across AWS accounts, you can now specify that the object gets a new ACL that gives full access to the destination account.
- Cross-Region Replication with KMS – You can now replicate objects that are encrypted with keys that are managed by AWS Key Management Service (KMS).
- Detailed Inventory Report – The S3 Inventory report now includes the encryption status of each object. The report itself can also be encrypted.
The highlights here are default encryption and detailed inventory report. While all five are welcome additions (and free, it’s worth mentioning), the biggest problem with AWS has nothing to do with Amazon: it’s human error.
When Upguard’s internet super sleuth Chris Vickery discovered a huge breach at global management and consulting company Accenture he didn’t have to rely on any hacking skills or elite technology, all he had to do was type a web address into his browser.
It’s not Amazon’s fault, it’s really an issue of misconfiguration … I’m not checking to see if the doors are locked or not; I’m just walking down the public sidewalk seeing it’s wide open.
Accenture serves over 90% of Fortune 100 companies as well as https://t.co/0QN9QwemKO.
Can you imagine if a threat actor had found this?
— Chris Vickery (@VickerySec) October 10, 2017
With the new tools administrators won’t have to specifically set up a “non-encrypted” bucket for files that don’t fit the encryption profile. Instead, they can set up servers to automatically apply encryption to files that are dropped into it. This should help prevent important data laying around unencrypted because an administrator didn’t immediately notice the exceptions.
Admins will also receive encrypted inventory reports that detail the status of all objects – presumably with the option to highlight unencrypted objects in any buckets.
It almost always seems as though the huge data breaches – like the Equifax breach – are caused by lackadaisical security practices. The S3 encryption and security updates are a welcome ally in the fight against our own mistakes.