· Cloud · 2 min read
Beyond the Basics: Securing Cloud Storage
S3 buckets open to the world are the #1 cause of data leaks. We cover the advanced security patterns to lock down your data.
It makes headlines every month. “Company X leaks 10 million records due to misconfigured S3 bucket.” don’t be Company X.
The Default is Private, but Mistakes Happen
AWS has made it harder to mess up, but complexity breeds errors. Here is the checklist for a secure bucket:
1. Block Public Access (BPA)
This is a master switch at the Account Level. Turn it on. It overrides any individual bucket policy that might accidentally grant public access. Unless you are serving a public website, there is zero reason for an S3 bucket to be public.
2. Encryption (KMS)
Standard encryption (SSE-S3) is fine, but KMS (Key Management Service) is better.
- It protects you against valid credentials being stolen. If a hacker steals your Admin Keys but doesn’t have permissions to use the KMS Key, they can download the file, but it will be garbage.
3. Least Privilege Policies
Don’t give your application s3:*. Give it s3:GetObject on the specific folder it needs my-bucket/app-data/*.
4. Logging and GuardDuty
Enable Server Access Logging and turn on Amazon GuardDuty. GuardDuty uses AI to watch for weird behaviour, like “Why is an IP address from North Korea trying to list the contents of your Finance bucket?“.
Worried about leaks? We perform comprehensive Cloud Security Posture assessments. Secure your data today.
