S3 Security Front and Center at AWS re:Invent

CyberThreat_Image.jpgMan, talk about the proverbial firehose. AWS re:Invent 2017 proved to be a wide open torrent of announcements from AWS and the partner ecosystem alike, making recap blogs such as this a bit of a mission impossible. For starters, AWS’s security announcements included:

  • Amazon Guard Duty, an anomaly-based and intel-driven managed continuous monitoring threat detection service.
  • The availability of WAF rules from AWS partners in the AWS Marketplace.
  • AWS IoT Device Defender, a set of IoT security controls to profile connected devices and ensure integrity.
  • Auditing of Lambda function calls via CloudTrail integrations.

Beyond those important announcements, the spate of S3-related data loss incidents made S3 security highly topical at this year's event. Here are a few thoughts to frame up how we should be thinking about protecting cloud-resident sensitive data in general, and S3 in particular.

  • The 101s - Encryption, Config Management, and Auditing: Data security is at the heart of the shared responsibility security model within which customers are responsible for securing their data assets. Taking responsibility starts with encrypting by default, auditing the use of S3, and employing configuration management best practices. The issue of open S3 buckets is one part config management and one part lack of clarity on S3 access control settings. Customers need to be crisp on understanding who has access with what level of privs and that goes for apps and other services, not just users, as their access may be invisible to some monitoring and detection solutions.
  • Cloud DLP: Beyond the 101s, a strong dose of data loss prevention (DLP) measures are required to discover and classify sensitive data, apply usage policies, and detect anomalous access, including, again, that by applications, not just users. With respect to the tooling required to do so, there is good news: CASB vendors indexed on DLP, Amazon Macie, and third-party cloud-native monitoring services offer the componentry of an S3 security reference architecture.
  • Malware Detection: While we tend to think about S3 security as a one-way street with respect outbound leakage, organizations should also be mindful of adversaries inserting malware into S3 buckets as part of store and forward campaigns, hence the need to also crawl S3 buckets for file and file-less malware.

Other active cloud security topics at re:Invent that warrant their own air time and blog space include:

  • Container security is maturing just as organizations ready more and more microservice-ized apps for deployment.
  • Cloud SecOps is becoming a discipline via the continuous monitoring of cloud-resident infrastructure, which extends the SOC's purview into the cloud.
  • It's still early, but serverless security is now on the radar screen and will require applying access controls, auditing, and an understanding of inter-entity relationships for when Lambda functions access various services (hello, again S3).
  • DevSecOps is getting more play as a means to treat security as a first class citizen.

And to that point about prioritizing security, in Thursday morning’s keynote, AWS’s CTO Werner Vogels, the man of black T-shirt fame this year sporting a Foo Fighters T, made some dead-on cybersecurity remarks including the declaration that “the pace of innovation must meet the pace of protection.” Hear! Hear!

Topics: AWS re:Invent