Is there a way I can triple check my S3 bucket is secure?
I know I've not enabled public access that I know of - but given the recent focus on this; what are the exact steps that I need to follow so I can sleep at night and show a level of diligence on the issue?
Enable Amazon Macie. It automatically classifies your data in S3 buckets, detects situations where data is more open than it should be, and warns you if access patterns for data change in a way that may indicate that you have been hacked or someone is misusing their level of access to the data.
Neat! Didn't know about that service, hopefully businesses accept that hefty price tag though. It's obvious they don't want to invest too heavily in sec-orgs as it stands it seems.
Pretty soon with the GDPR kicking in it will be more expensive to not protect the data than it is to protect it.
All companies processing the personal data of people residing in the EU regardless of the company’s location who have a breach of data where the organization has been shown to violate basic privacy design concepts can be fined 4% of annual global turnover or €20 million, whichever is greater.
"Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts."
So that 20mil or 4% (whichever is greater) is for companies that have seriously violated the GDPR. It remains to be seen how it is enforced, but my understanding is that this is purposely designed to be very punitive to force companies to have a dollar amount in mind when it comes to designing security and doing the right thing.
How about monitoring via polling? I'm imagining something like this...
- Set up application with your AWS/S3 credentials
- Poll S3 to get list of all your buckets on a regular interval (once a day, every 5 minutes, whatever)
- Get a list of some files in those buckets
- Try to access those files directly w/ no authentication or authorization
- Set up some rules about how to interpret the results (look for any public files, look for specific private buckets, look any buckets that are public & haven't been whitelisted, whatever)
There's probably a ton of ways to do this. For simple use cases, it shouldn't be too tough. That'd be a fun hack for a day project, and I'd be happy to pair with you on it if interested. It's probably spending a little time looking around for an off the shelf solution first.
A private bucket isn’t going to turn itself public on accident. This error wasn’t the bucket suddenly becoming public, it was a developer making it public because that was the easiest way to get the job done.
Your testing system would not help here at all, and if you spent the effort to make the system, you are already the type of person who isn’t going to turn the bucket public to make your life easier.
> Is there a way I can triple check my S3 bucket is secure?
Amazon Trusted Advisor will automatically send you a weekly email if any of your buckets are misconfigured to allow public access. The catch is that this feature is only available if you pay for a premium support contract, which is hundreds or thousands of dollars per month.
If you have Trusted Advisor enabled but aren't paying for premium support, then you will still get the weekly email saying that there is a security vulnerability somewhere in your system, but when you click to see what it is you will just get prompted to hand over your credit card to signup for an annual support contract.
There are several companies that handle this for you, though some more effective than others. Evident.io is a big player in the field, though general complaints are that they're too noisy.
However, this is actually what CloudCoreo does - infrastructure security. More precisely, infrastructure security at deployment and continuous security monitoring (Evident only does the latter).
I know I've not enabled public access that I know of - but given the recent focus on this; what are the exact steps that I need to follow so I can sleep at night and show a level of diligence on the issue?