Amazon Web Services (AWS) provides a variety of robust and scalable object and file storage solutions. Among all storage options, Amazon Simple Storage Service (Amazon S3) is a widely-used object-storage service with industry-leading scalability, data availability, security, and performance. In this article, we’ll start by exploring the most popular cloud storage options on AWS to understand why businesses around the globe have been using them for years.
AWS storage services comprise a large part of many application workflows as a result of cloud-native application adoption. In this article, we’ll dive into some of the workarounds and considerations you may encounter with Amazon S3, since it’s the most used—and misused—cloud storage option on AWS. We’ll also examine some of the ways you are ensuring you are holding up your end of the AWS shared responsibility model and your Amazon S3 is secure.
Storage on AWS
AWS storage services are mainly divided into three sections:
- Object-based storage services
- Block storage services
- File system storage services
As we previously mentioned, Amazon S3 is an object-based storage service. Amazon Elastic Block Store (EBS) is a persistent block storage service you can attach to Amazon Elastic Compute Cloud (Amazon EC2) instances. Amazon Elastic File System (Amazon EFS), Amazon FSx for Lustre, and Amazon FSx for Windows File Server are file system-based storage services. AWS also provides a storage option for data archiving, called Amazon S3 Glacier, and a hybrid storage service, called AWS Storage Gateway that shares AWS cloud storage between your on-premises applications.
Amazon S3 vs. EBS vs. Amazon EFS vs. Amazon FSx
Service |
Pros |
Considerations |
Amazon S3 |
|
|
EBS |
|
|
Amazon EFS |
|
|
Amazon FSx |
|
|
These AWS storage services are widely used and accepted, but can be used more effectively by applying a few security and permissions best practices. For example, you can set permissions with AWS Identity and Access Management (IAM) and/or provide templates of predefined sets of permissions using AWS CloudFormation.
However, there is no provision to check for security breaches, malware scanning, and more. Connecting your cloud accounts, like AWS, to Trend Micro Cloud One™ – Conformity, enables you to check for these vulnerabilities on EBS, Amazon EFS, and Amazon S3.
Risks of Amazon S3
There is no denying that Amazon S3 is exceptionally versatile and exponentially faster than other object-based storage options out there. However, it’s easy to take a wrong turn, and end up with colossal storage bills or security breaches.
Amazon S3 is not merely a personal or professional object-based storage solution. A large number of other AWS services use Amazon S3 to store backup or data snapshots. If you are running an Amazon EC2 instance with daily backup turned on, the incremental backups will be stored on Amazon S3, increasing your bills exponentially.
Amazon S3 buckets everywhere
As we have discussed earlier, accidental Amazon S3 bucket creation is common. A nontrivial number of services and applications can quickly spin up buckets without you knowing. For example, an Amazon EC2 instance creates an Amazon Machine Image (AMI) and stores it in Amazon S3. It’s easy to overlook what’s being done in your name, but this neglect hurts your organization by increasing costs.
Furthermore, buckets created by other services will not have your required set of permissions. If your organization does not have a dedicated AWS engineer to allocate the necessary permissions, you may give extra permissions, but this will make the bucket vulnerable to external threats. On the other hand fewer permissions can cause accessibility issues in applications.
Taming the Amazon S3 configuration rodeo
How can you avoid Amazon S3 configuration issues? There are some golden rules every administrator should follow. Most importantly, you should always practice the principle of least privilege to ensure your Amazon S3 bucket permissions are set correctly.
If you are attaching an Amazon S3 bucket to an Amazon EC2 instance or other compute services, you can assign a role that grants access to them. Another step is to ensure that only authorized users and applications can write into your Amazon S3 bucket. Unauthorized writers can let an attacker into your system or allow someone to use your bucket for free.
Furthermore, it's best to ensure that only authorized users and apps can read your buckets. Failure to set proper read permissions can result in the accidental sharing of confidential information. For example, consider the recent 2020 U.S voter record data breach, which exposed approximately 198 million American voters’ personal data.
AWS CloudFormation to the rescue
CloudFormation can help avoid Amazon S3 configuration issues, by enabling you to configure and provision AWS resources based on templates written in JSON or YAML. This is helpful because it lets you create a template describing the Amazon S3 buckets you want to create and the roles and permissions they should include.
Where possible, use CloudFormation templates for all Amazon S3 bucket provisioning so you can guarantee that all buckets are created with correct access management settings. Moreover, you can use CloudFormation to set permissions on existing buckets to prevent any rogue, insecure Amazon S3 buckets from hiding in your vast AWS infrastructure.
Next steps
We’ve explored the various cloud storage options on AWS, diving deeper into some Amazon S3 configuration concerns and how we can address those concerns manually. AWS buckets are secure by default, but administrative errors can cause a data breach. Wouldn’t it be nice not to worry about these concerns?
Take your cloud storage security to the next level now with Trend Micro Cloud One™. One of the many benefits of our security services for cloud builders is that it provides assurance that your Amazon S3 storage buckets are configured to industry best practice and are free from malware. With 750+ cloud infrastructure configuration checks for AWS and Azure and automated protection to mitigate risks, your teams can build in the cloud with confidence.
Want to learn more? Explore how to leverage Amazon S3 Malware Scanning using Trend Micro Cloud One and AWS Security Hub.