freshidea - Fotolia

Default AWS S3 encryption walls off vulnerable customer data

S3 encryption is now the default setting for the AWS storage service in response to a string of high-profile cases where users exposed data to the internet.

AWS has updated its security policies and defaults for Amazon S3 encryption to address a recurring problem for customers that are ill-prepared for the complexity of the service.

Amazon Simple Storage Service (S3) is one of the most popular services on AWS, but its ever-expanding ancillary security options on both client and server sides has led customers to misconfigure settings and expose their data to the public. The latest change by AWS to encrypt objects for S3 buckets as the default setting could help mollify some of those issues.

Several household-name companies, including Accenture, Verizon and WWE, were publicly shamed this year over leaky S3 buckets -- exposed not because of malicious attacks, but through the efforts of security firms scanning for vulnerabilities. There's no evidence data was stolen or copied in those cases, but bad actors likely would follow the same path to access corporate information stored on AWS.

One of the most attractive elements of S3 is its flexibility, with multiple configurations and connections to numerous AWS tools and services. But that variety introduces choices, and sometimes users unknowingly make the wrong ones.

A simple check box item for S3 encryption would be a simple fix even for enterprises with hundreds of accounts and thousands of buckets, said Zohar Alon, CEO of Dome9, a cloud security company in Mountain View, Calif. But with so many ways to configure S3, users might not realize they've exposed their data.

"The 22-year-old developer will not take the time to read the manual of what do the five options mean, so we need to pre-position it," Alon said. "We need to direct them to the right answer. We need to take check boxes away rather than add more."

The 22-year-old developer will not take the time to read the manual … we need to direct them to the right answer.
Zohar AlonCEO, Dome9

Encryption is one of several policy choices for users, and those who want to encrypt everything must reject non-encrypted objects. The new S3 encryption default will instead automatically encrypt all objects, even new ones.

AWS was built to provide a set of tools for customers to choose how to develop their applications. In the case of encryption, Amazon has made a choice for them -- and it's the right one, because of the changing nature of workloads hosted on its platform, said Fernando Montenegro, an analyst at 451 Research.

"As these [workloads] became more critical they recognize their customers are having additional demands," he said." As they add more workloads related to specific compliance regimes they have to follow that and have the right level of encryption."

S3 encryption is an important step because 90% of users defer to the default option, Alon said. This won't solve every problem, however, especially as cloud workloads begin to sprawl across multiple platforms.

"There are many ways you can shoot yourself in the leg when storing data on [Microsoft] Azure just like on AWS, so it's asking a lot to expect the security team to figure that out across an ever-growing footprint of cloud assets and subscriptions."

Go beyond S3 encryption

For the continued edification of AWS customers, buckets that are publicly accessible will carry a prominent indicator in the S3 console, new permission checks identify why a bucket is public, and additional information in inventory reports identifies the status of each object.

S3 is a powerful service, but users often overlook the responsibilities that come along with that, Montenegro said. He's particularly high on the permission checks and inventory reports because they can help address the knowledge gap.

"As more people begin to use this they have a clearer picture of what you're doing might have unintended consequences," he said.

This isn't Amazon's first response to this problem. In the past six months it added new Config rules and emailed customers to caution them to take note of their publicly accessible assets. Amazon Macie, a service introduced over the summer, incorporates machine learning to track the S3 usage and identify anomalies. Other recent AWS updates include more control over access management when replicating to a separate destination account, and the ability to replicate encrypted data that uses AWS Key Management Service across regions.

Trevor Jones is a senior news writer with SearchCloudComputing and SearchAWS. Contact him at [email protected].

Next Steps

Improve your AWS cloud security

Encrypt AWS data, manage keys to protect information

How can you properly secure S3 buckets?

Dig Deeper on Amazon S3 (Simple Storage Service) and backup