As companies are moving to a cloud infrastructure, including Amazon Web Services, to take advantage of new resources and elastic storage power, protecting your data on the cloud becomes challenging. But they must put in place a security policy adapted under pain of being victims of leaks of personal or confidential data. The Deep Root Analytics database ranked 198 million registered voters by their political trends in 48 categories. In addition to their names, it contained their date of birth, their home address, their phone numbers.
Created at the time of the presidential election of 2012 in the United States, this huge file (1.1 TB) was stored on a public cloud Amazon Web Services by Deep Root Analytics. But in June 2017, the UpGuard Cyber Risk team found that this file is not protected at all: anyone could access it by entering the Amazon “dra-dw” subdomain. This leakage of personal data was inevitable, AWS S3 being misconfigured. This example, which is not unique, confirms that organizations must not feel that their data is secure when they are in the cloud.
It is up to them to be more vigilant and to put in place a suitable security policy. Understanding the Shared Responsibility Model As part of a shared responsibility model, the provider and the customer are both responsible for securing the cloud. The provider, Amazon, is responsible for “cloud” security, that is, its infrastructure that includes hosting facilities, hardware, and software. Amazon’s responsibility includes protection against intrusions and the detection of fraud and abuse. The customer, in turn, is responsible for security “in” the cloud, that is, the organization’s own content, applications using AWS and identity access management, and its internal infrastructure like firewalls and the network. How to secure your data on the AWS platform? Enable CloudTrail on all AWSs and enable CloudTrail log validation. Activating CloudTrail generates logs. API call history provides access to data such as resource changes. With valid CloudTrail log validation, it is possible to identify any changes to log files.
These logs can be redirected to a Security Information Management System (SIEM)to detect abnormal behavior and obtain alerts on cyberattacks or abnormal behavior. Enable logging of CloudTrail AWS S3 bucket access. Enabling access logging tracks access and identifies potential attempts to gain unauthorized access. Enable stream logging for the Virtual Private Cloud (VPC). These logs are used to monitor the network traffic passing through the VPC and to warn of abnormal activity.
Apply a strict policy for access. The AWS Identity and Access Management(IAM) solution makes it easy to manage user policies, passwords, access keys, authentication, authorizations to set up … The AWS IAM interface enables us to do delegation by role.
This reduces the risk of inadvertently granting excessive permissions and privileges to a user and improving the efficiency of permissions management. Restrict access to CloudTrail bucket logs and use multifunction authentication for bucket removal.
Unrestricted access, even for administrators, increases the risk of unauthorized access if credentials are stolen after a phishing attack. Encrypt the data as well as the logs. In the case of cloud data migration (data from enterprise to AWS / between AWS services / between AWS instances) this action must be performed through a secure channel to ensure confidentiality, integrity, and non-repudiation.
Do not lose your keys! More seriously, this means that you should not use access keys with root accounts. Instead, create role-based accounts and avoid using root user accounts. Finally, do not forget to delete unused keys and disable inactive accounts.