Wiz
AcademyS3 bucket security risks and best practices

S3 bucket security risks and best practices

AWS S3 makes it easy to upload virtually unlimited volumes of data to the cloud, and store it at little cost. Although there is nothing inherently insecure about S3, access control misconfigurations and a lack of understanding about how S3 security works can turn S3 buckets into a vector for attack and data exfiltration. If you use S3 to store data, it’s critical to know the risks that come with it and how to mitigate them.

Wiz Experts Team

What is S3, and how does it work?

AWS S3 is an object storage service in the Amazon cloud. S3 allows users and applications to store and retrieve virtually any type of data that can be stored in digital form.

S3 data is stored in buckets. These are software containers into which data can be dumped and retrieved on demand. The amount of data you can store in S3 is essentially unlimited, and S3 costs just pennies per gigabyte. For both of these reasons, S3 has become the most popular cloud storage solution.

Top S3 security risks

While S3 is a powerful way to store data affordably and at scale, it can also be risky. The main S3 risks include:

  • Configuration mistakes or oversights that allow malicious users to access sensitive data from inside S3 buckets

  • Lack of visibility into which data is being stored inside S3 buckets and whether the protections in place for that data are sufficient

  • Configuration problems that allow malicious actors to upload malware into S3 buckets, potentially creating a beachhead that they can use to launch further attacks

Best practices for S3 security

Considering that 82 percent of companies mistakenly expose their data to third-party access, S3 security must be a priority. To mitigate the security risks that may imperil data stored in S3 buckets, businesses should adhere to the following best practices.

Continuously audit S3 configurations

Each S3 bucket is configured with permissions that determine who can view or modify data inside it. Mistakes when configuring these permissions are the main way that S3 data can be compromised. To protect against this risk, businesses should deploy tools that continuously monitor their S3 permissions and generate alerts when the configurations violate security policies.

Enforce and validate S3 encryption

S3 does not encrypt data by default, leaving you to configure S3 buckets to encrypt data automatically. You should require encryption unless there is a specific reason why your data should remain unencrypted, such as deliberately sharing data with the public. Regardless, you should regularly monitor your S3 configurations to ensure that encryption is turned on.

Understand shared responsibility

Under its shared responsibility model, Amazon protects data inside S3 buckets from threats like physical security risks or malware running on S3 host servers. However, Amazon doesn’t protect S3 users from making their own configuration mistakes that could place their S3 data at risk. You must understand how shared responsibility works for S3, and avoid assuming that Amazon secures S3 buckets for you.

Detect sensitive data

You need to know if sensitive information is uploaded to an insecure S3 bucket. The best way to detect this type of risk is to scan data inside S3 buckets automatically, then classify whether it is likely to be sensitive. Tools like AWS Macie can help to discover sensitive data inside S3 buckets, or you could opt to write your own scripts to crawl S3 buckets and determine which types of files are stored in them.

Develop S3 governance

Rather than allowing anyone in your business to create and use S3 buckets without centralized governance rules, you should develop plans that define S3 usage. Your plan should define who can create buckets and when to create a new one instead of adding data to an existing bucket. You should also manage the different types of data your business stores in the cloud, and which should never be uploaded to S3. Having an S3 governance plan and the security automation tools to make sure it is being followed will help mitigate the risk of S3 misuse.

Leverage S3, without the risk

S3 is a valuable service for any business that needs to store data in the cloud. With the right tools and processes in place, it’s possible to leverage S3 to store data affordably and scalably without allowing S3 buckets to undermine your organization’s data security needs.

Continue Reading

Google Cloud security best practices

While you may understand cloud security best practices that you should adhere to across multi-cloud environments, your security posture on Google Cloud Platform (GCP) relies on also addressing security challenges specific to the platform. You need to understand the Google shared responsibility model, distinctions between securing GCP and other clouds, and take advantage of the many tools available to secure your workloads hosted on the platform.

Cloud security basics and best practices

Shifting from on-prem to the cloud can open up significant possibilities for your organization. The cloud is economical, easily scalable, and can be accessible to users across your company. Along with the growth and flexibility it provides, moving to the cloud can also expose your organization to cyber security threats. It is essential that as your organization grows on the cloud, you also strive to protect your cloud-based environments, applications, and data.

What is a Cloud Access Security Broker (CASB)?

CASBs play a critical role in providing visibility into how businesses use the cloud. They enforce security and governance rules to mitigate the risk that cloud services or SaaS apps could become weak links in an organization’s security posture. Without a CASB, you may not know which applications, services, and data your business has exposed in cloud environments. How would you know if those resources are secure if you don’t know they exist?

What is SOC 2 compliance?

Whether you offer Software-as-a-Service (SaaS) apps to customers, use SaaS apps yourself, or both, you need to be familiar with SOC 2 compliance. SOC 2 compliance rules provide a foundation for ensuring that sensitive data is managed in a secure way within the context of SaaS and other cloud-based services.

What is Cloud Security Posture Management (CSPM)?

In modern cloud environments, security monitoring and periodic audits won’t suffice for detecting threats before they turn into breaches. Instead, to achieve an environment that is as secure as possible, you need Cloud Security Posture Management, or CSPM. CSPM lays the foundation for minimizing the number of risks that exist within your clouds. CSPM tools help to automate cloud security, keeping cloud environments secure even as they grow larger and more complex.