AWS' latest attempt to help customers avoid accidental exposure of sensitive Amazon S3 data to the wild seeks to...
strike a balance between security and flexibility.
As customers' AWS footprints have grown more complex, their administrative tasks have also increased. Ultimately, that's led to a series of S3 security failures. Millions of personal data records have been inadvertently exposed in recent years, although it's unclear how many of these have led to successful cybercrimes.
New S3 buckets are private to the greater world by default, but AWS provides Access Control Lists and policies for customers to give the public or other AWS accounts access after they create S3 buckets. AWS previously introduced functionality that gives S3 customers an easy way to see which buckets are marked as publicly accessible.
S3 Block Public Access goes a step further, Jeff Barr, chief evangelist for AWS, said in a blog post. As the name suggests, users can apply S3 Block Public Access at the account level to prohibit public access to both existing and new S3 buckets.
Block Public Access is available now in the S3 console, command line, APIs and CloudFormation templates at no additional charge in all AWS commercial regions.
AWS has been relatively hands-off with how customers set up their systems, said Craig Loop, director of technology for AWS user Realty Data, which provides information services to real estate professionals. The Naperville, Ill., company has moved all its systems into the cloud and relies heavily on AWS.
"It's nice to have these kinds of checks and balances," Loop said. "I respect the hands-off approach, but I like that they're giving us tools like this. I can't think of much more they could do without getting intrusive."
AWS' move is another welcome step to make S3 security errors less likely, said Deepak Mohan, an IDC analyst. Misconfigured S3 buckets tie into the "soft" security gap with cloud, wherein administration and oversight functions deal with an ever-expanding boundary surface that needs to be protected. The increasingly granular nature of S3 creation and settings also expands the number of individuals that could introduce a mistake and further complicates boundary protection.
Craig Loopdirector of technology, Realty Data
'"I tend to think of this as another tool in the customers toolkit, as they get comfortable with meeting security requirements in the cloud," Mohan said.
Others say this S3 feature reaffirms that IaaS and cloud security are a two-way street, and providers and users must both play active roles.
"Customers have started to recognize that the public cloud providers have made significant investments into both securing their own infrastructure and operations, but also providing security options to customers," said Stephen Elliot, an IDC analyst. "There is a constant need for public cloud security advancements -- the bad guys never stop."
Not everyone is optimistic that tightened AWS measures around S3 buckets will solve their cloud security problems. Simplifying configuration to be private is not the same as removing the potential of misconfigurations that lead to S3 security lapses and exposures, said Chris Vickery, director of cyber risk research at UpGuard, who has discovered and reported on many exposed S3 buckets.
"They will secure some buckets, but the overall problem will persist at a massive scale," Vickery told TechTarget's SearchSecurity. "As long as it is possible to misconfigure a system, people will do so."