Why, and How to, Secure your S3 Storage

Fri, 24 Jan 2020 04:38:23 GMT

If you've ever looked into cloud storage (like for backups -- you do make backups, right?) you will recognize Amazon's Simple Storage Service, otherwise known as S3. It was the first of the Amazon Web Services to be released, in 2006. It's cheap ($0.023 per GB per month for up to 50TB, after which you get a bit of a discount), extremely reliable, and secure.

According to this article on "How to secure an Amazon S3 Bucket",

Here’s what you need to know to lock down an Amazon S3 bucket:
Step one: do nothing. [emphasis theirs]
Yes, do nothing because — like all other AWS services — the default configuration provides a strong security posture right out of the gate.

So when you create an S3 "bucket" (which is what they call the container you store your files in -- bits in a bucket?), only you can do anything with it. After that, if necessary, you can give other people access. Or open it up for everyone to see, for example if you want to host a website on it. (There are better places to host a website.)

If you're storing sensitive information like customer names and addresses, you can have Amazon encrypt it for you. For really sensitive things, like social security numbers and credit card information, you can encrypt it on your end. Amazon gives you some useful tools that make it easy. But this post isn't a tutorial on S3 security -- Amazon has one right here. This is, I don't know, kind of a <rant>.

Because, in spite of the fact that you have to do extra work to make a bucket public, I keep running into articles like Leaky Buckets: 10 Worst Amazon S3 Breaches and, more recently, Adult Site Leaks Extremely Sensitive Data of Cam Models.

Yes, S3 buckets can be used to exchange data with other companies or people -- if you're careful. Encrypted. Multiple times. With strictly limited access. And public buckets can be used for hosting media files and even whole (static) websites (although download bandwidth, while cheap, is not usually free -- a DDOS attack or suddenly going viral can saddle you with an appallingly high bill). But for goodness' sake don't confuse the two!

</rant>

Ask yourself these questions:

Will I be absolutely delighted if a thousands of random people on FB saw this file I'm storing? If the answer is "yes", make it public. Otherwise, consider making it private.
Will I have a problem if certain people (my business competitors, my mother, my ex, ...) saw this file? If so, you should make it private, and use at least server-side encryption.
Will I get in trouble (lawsuits, identity theft, public shaming in blog posts like this one, ...)? Encrypt it. Use client-side encryption if you want to be sure. Encrypt the filenames, too. And keep it encrypted when it's stored on your computers, as well. (In many cases there are government regulations that cover exactly how you should handle this data. Some things shouldn't be stored at all, like credit card PINs. But always encrypt.)

Resources

Here is the Amazon documentation for securing data on S3. There's more, but these are the basics.

... and here are a few other links, collected here for your convenience.

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

comments

The Mandelbear's Musings

Why, and How to, Secure your S3 Storage

Resources