Are you using Amazon Web Services (AWS) to store data in the cloud? It’s a valid strategy, and a popular one. But AWS uses a “shared responsibility” approach, which means that while it will handle infrastructure security, you are still responsible for your data and all its access points. Here are some issues you need to understand when using AWS.
User Accounts Need to Be Managed
Each user on your system is an opening that an attacker can use to access your data. Use service accounts with privileges limited to specific actions and databases. Even if someone gains access to your service account, they won’t be able to roam through your entire data environment, making changes at will. The damage will be contained. Also, a user trying to log in through that service account is an immediate flag that you are under attack.
To get rid of excess accounts, audit your list. If you aren’t sure whether anyone is using an account, reduce the privileges to the smallest set available. If the account is in use, you’ll get a tech support request from the employee. If not, you’ll know that you can safely delete that user.
CloudTrail Security Should Be Tightened
CloudTrail (CT) generates log files for all the API calls on your account and stores them in a Simple Storage Service (S3) bucket. The service is invaluable for tracking incidents and auditing compliance. Savvy attackers will disable CloudTrail and delete the log files as soon as they get into your AWS environment, so you need to take a few steps for maximum CloudTrail security. Make sure CloudTrail is fully enabled for all your AWS services and in all regions. Then turn on CloudTrail log file validation. This will make changes to the log file itself trackable. Next, enable access logging for the CloudTrail S3 bucket so you can track access requests. And finally, turn on multifactor authentication to delete the CloudTrail S3 buckets, and encrypt all its log files.
Watch Your S3 Bucket Permissions
Speaking of S3 buckets, how tightly do you control yours? The buckets give users a place to upload objects and store data, which is deposited on multiple devices across multiple facilities. The users who can access the buckets and the objects within them are limited by the permissions assigned to them in the AWS console. A bucket can be available to all authenticated AWS users, log delivery only, or everyone. The grantees can be given specific permissions, which include list, upload/delete, view permissions, and edit permissions.
If any of your buckets are set to grant permissions to “everyone” you should review that setting immediately. Also check your other buckets to make sure you are granting users the minimal permissions necessary to do their jobs.
If you’re a new AWS admin, it’s a good idea to work out your security strategy first and then start setting up your users, buckets, and data. If you are in charge of an existing account, you’ll have to retrofit your security measures.