How to Build A Secure S3 Bucket?

Building Secure S3 Buckets

A few days ago, I searched for data breaches and leaks due to insecure S3 buckets on Google. Needless to say, I was blown away by the number of high-profile names on that list. Companies like FedEx, Verizon, Accenture, and even government organizations like the Pentagon. So in this article, we will discuss how to build secure S3 buckets in AWS.

Why Should You Secure S3 Buckets?

Before we move on to building secure S3 buckets, we need to understand the repercussions of having insecure S3 buckets in detail. 

  • Data breaches and leaks: Yes, as mentioned earlier, insecure S3 buckets are the primary cause of many data leaks and breaches. 
  • Violation of Compliance Standards: With the rise in cybercrimes, various governments and regulatory authorities took action and drafted specific laws or compliance standards for data protection. While some of them make recommendations, most others take action if organizations fail to adhere to them. So apart from a data breach, an insecure S3 bucket can have your organizations face lawsuits and hefty fines. For instance, let’s consider the GDPR and PCI DSS. Article 32 of the GDPR – “Security of process” specifies that personal data should be encrypted at rest and in transit. This directly pinpoints the fact that S3 buckets should be encrypted. Similarly, in PCI DSS, credit card data should be encrypted at rest and in transit.
  • Damaging Reputation: A security breach never helps a company’s reputation. Many customers may leave your services which will lead to your company taking a huge financial hit.

How To Build Secure S3 Buckets?

Now, let us see how we can build secure S3 buckets.

Default Encryption Enabled

The first step towards building a secure S3 Bucket is to ensure that default encryption is enabled. This will enable Amazon to encrypt your S3 data at the bucket level instead of the object level to protect it from attackers and unauthorized access. In other words, the S3 objects are encrypted during the upload process. The encryption can happen using Server-Side Encryption with either AWS S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS). Here’s a quick way to get this done:

  • Sign in to your AWS console and go to the S3 dashboard.
  • Click on the name of the S3 bucket and then the Properties tab from the top menu of the S3 dashboard. Here you can check the Default Encryption feature status.
  • If your default encryption status is “Disabled,” click on Default Encryption. Here you will get a choice to either encrypt the bucket with either AWS S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS). Select the desired option, and you’re good to go!

Having default encryption enabled is one step towards achieving HIPAA, GDPR, NIST, and PCI DSS compliances. 

Encryption During Transport

Now let us secure our S3 buckets during transit. For this, we need our S3 bucket to have a secure transport policy. When S3 buckets are not configured to strictly require Secure Sockets Layer (SSL) connections, the communication between the clients and these buckets is vulnerable to eavesdropping and man-in-the-middle (MITM) attacks. This can cause a breach of data in your S3 buckets as it travels to and from Amazon S3. This is why you should enforce SSL-only access by denying all regular, unencrypted HTTP requests to your buckets when dealing with sensitive or private data. To enforce end-to-end encryption during bucket transit, make sure that in the Bucket Policy Editor, the policy is either

  • “Condition”: { “Bool”: { “aws:SecureTransport”: “true” } }, if Effect element value is set to “Allow”, or
  • “Condition”: { “Bool”: { “aws:SecureTransport”: “false” } }, if the Effect element value is “Deny”. 

Enhancing Security Using Logging

An essential part of security is knowing who has access to a resource and what they do with it. Access Logging in S3 helps you keep a record of these activities and empowers your security team to identify any attempts of malicious activity within your buckets by authorized or unauthorized personnel. Logging is a recommended security best practice required by various compliance standards like GDPR, APRA, CIS, NIST, HIPAA, and PCI DSS. Identifying unauthorized access to their S3 buckets through logging can help an investigation during a data breach. You will have the option to enable logging while you create an S3 bucket. 

There are two types of loggings in S3:

  • Server Access Logging – These logs are free to create; however, you will have to pay for the S3 storage space. They contain information about the requester, the target bucket, the response, and other details about the request. They also include information about requests that return error responses. To enable server access logging, 
    • Sign in to your AWS Management Console and go to the S3 dashboard
    • Click on the bucket name and select Properties.
    • In the Server access logging section, choose Edit.
    • Under Server access logging, select Enable. For the Target bucket, enter the bucket’s name that you want to receive the log record objects. Click Save Changes.
  • Object Level Logging – Object-level logging integrates with AWS CloudTrail and will therefore cost you. You can view and analyze the logs in CloudTrail, and they are available for continuous writing to S3. These logs include detailed information at an object level, including the origin of the requests and the type of actions performed. You can read more about logging with CloudTrail here.

Block Public Access at Account Level for S3 Buckets

Having the Amazon S3 Block Public Access feature enabled will help you block public access to your S3 buckets and serve as an account-level guard against accidental public exposure. Unless you are using the S3 service for web hosting or public data repositories within your AWS account, you should have this feature enabled. It offers a centralized way to restrict public access to your S3 buckets. It overrides any existing bucket policies and objects permissions to block S3 public access. This is also a recommended best practice under CIS.

To enabled this feature,

  • Sign in to your AWS Management Console and go to the S3 dashboard
  • In the left navigation panel, choose Public access settings for this account to access the S3 Public Access Block feature configuration page.
  • On the configuration page, under Public access settings for this account, click Edit to enter the feature’s edit mode.
  • To enable Amazon S3 Public Access Block, select all four configuration settings and click the Save button from the top-right menu.
  • Finally, within Edit public access settings for this account dialog box, type confirm in the required box, then click Confirm to apply the changes.

Object Lock

Malicious actors don’t just leak data during a data breach. They may also cause damage by deleting or modifying your sensitive data and assets. The good thing is, Amazon S3 helps you with overcoming this hurdle too! S3 Object Locking prevents deletion of an object or from being overwritten. In other words, it makes the S3 object immutable by offering the following two ways to manage object retention: by specifying a retention period or by placing a legal hold until you release it. Here is how you can enable Object Lock in Amazon S3.

How Can Cloudanix Help?

Cloudanix helps you audit your AWS account and check if your S3 buckets have the above misconfigurations. We have several audit rules in our Amazon S3 recipe that ensure your S3 buckets are secure and do not have any misconfigurations. You can sign up for a free trial here today!