The document outlines security issues and management practices for using Amazon S3, emphasizing the shared responsibility model between AWS and its users. Key topics include access control frameworks, incident responses, and recommendations for maintaining data security and compliance. The document also addresses potential risks associated with S3 outages and provides strategies for efficient resource management and encryption.

1. Luisenstr. 11, D-86415 Mering
es@elephantshop.net
+49 151 5875 0634
twitter: @ekkards
Dr. Ekkard Schnedermann
Founder Elephantshop
AWS Solution Architect,
CSK, CGEIT, CISA, CISSP
Overview of Security Issues with
Amazon S3
CSA CEE Summit, 9 March 2017

2. The risk of cloud users may be quite high
Cloud users
High expectations for cloud usage models
+ Quick time to market + Low initial cost
- Limited inhouse knowhow of provider API
Security of providers
Focus topic of previous years
Done their homework
Market of IaaS providers consolidates
Risks
Auditors don´t recognize higher speed in cloud
Executives don´t treat security risks seriously
Risks may appear late and severely
Why risk matters: 10 years of stock prices

3. Fundamental Properties of S3
Global Service and the Owner’s Responsibility
AWS S3 Outage
Surprising Effects
Global Namespace
Data Location
S3 Access Control
Access Control with ACLs, with Policies
Policies in Many Places, Policy Simulator and the Finer Details
Recommendations
Configuration Checks, Access Checks
Encryption, Key Management
Hacking, Security Bulletins, Patching and Emergencies
Practical lessons to be learned from using AWS S3
Amazon
S3
≅
≅
…
Stands for a category, is not a comparison
Object Storage

4. Walk through AWS S3 as model for public cloud use
Amazon Web Services (AWS)
Market leader
Security certifications
Security documentation
Simple Storage Service (S3)
Object storage since in 2006
Widely used, now 1012 objects
Focus on Security Management Process =
Plan (measures)
Do (execution)
Check (outcomes)
Act (improvements)

5. Challenge: Enjoy advantages of cloud storage and keep caution
Amazon responsibility
Infrastructure, hardware, networking,
operating system, application,
server-side encryption.
Advantage: High security level
Security operations would be very expensive for your team
Your responsibility:
Customer data, client-side encryption
Caution: Every mistake counts
No layers of defense
The security relies on access control.

6. AWS S3 Outage - Facts, Consequences
AWS Dashboard for S3
28 Feb 2017 in us-east-1 for S3
(18:37 someone mistyped command, AWS report)
20:37 CET: Confirmed high error rates
21:54 CET: Recovery of read, list, delete
22:13 CET: Recovery of write
23:08 CET: fully recovered
Consequences
45 AWS services in us-east-1 affected
AWS dashboard did not show correct color
Hundreds of websites & apps affected from 18:45:
Docker's Registry Hub, Trello, Travis CI, GitHub,
GitLab, Quora, Medium, Slack, Adobe's cloud,
Zendesk, Heroku, Coursera, Bitbucket, Twilio,
Mailchimp, Citrix, Expedia,
IoT devices

7. AWS S3 Outage - Alternatives, Recommendations
Compare damage to SLA
AWS guarantees 99,9% per month max. 40 min. down
Refund: 10% for 99,0% up to 6 h 43 minutes downtime,
25% if worse
Cost for using 2nd AWS region
Switch on versioning & replication of bucket to 2nd region
2 x cost for S3 (+network)
Code failover logic (read and/or writes)
Operational plan for failover and fallback
DR with other cloud providers (Google, Azure)
Same as above
+ Replication logic + DevOps know-how for 2nd provider
On-Site or private cloud
Network reliability and bandwidth

8. Fundamental Properties of S3 and their Surprising Effects
Global Service and the Owner’s Responsibility
Universal connectivity: S3 data are on the Internet
S3 is organised as buckets assigned to exactly 1 owner.
Owner defines access to the objects in the bucket.
Global Namespace
The name of every bucket is defined worldwide.
You cannot choose a bucket name as you like
More than 1 million accounts on AWS share the same
namespace.
Never delete a bucket!
The data location of a bucket cannot be changed

9. Two Methods for Access Control: ACLs and Policies
Access Control List (ACL)
Do not use ACLs.
Use Bucket Policy or IAM Policy.
Only specific use cases require ACLs:
• Object Level Permissions for Object ACL
• LogDelivery in Bucket ACL
• Bucket Owner: „Full Control“
But ACLs don´t work with IAM users, groups or roles

10. Access Control with Policies
Policies
Policy is AWS’s universal access language
Bucket policy is the successor to ACLs
Syntax: JSON = Java Script Object Notation
Semantics: Policy Grammar
Specific actions (53) s3:GetObject, PutObject,
Construct by copy/paste or
build with AWS Policy Generator
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"]
"Resource":["arn:aws:s3:::example.com/*"]
}
]
}
From AWS reference:
Website on S3 with read access for everyone

11. S3 Access Control is Nice to Set and Hard to Maintain
• Policies in IAM (Identity & Access Management)
• AWS-managed policy attached to
a user,
a group or
a role
• Self-managed policy attached to
a user,
a group or
a role
• Inline policy for
a user,
a group, or
a role
„Policy“ attribute of S3 bucket
Flexibility in implementation, e.g. resource:
Resource attribute can be tailored to:
* = whole S3 (e.g. for CreateBucket)
bucketname: Configuration (DeleteBucket)
bucketname/path/*: Content inside buckets
Effort in maintenance
1. Check every location for a policy
2. Understand JSON
3. Identify that S3 is targeted
4. Evaluate the effect
(GetObject, PutObject, DeleteBucket,..)
IAM policy simulator, Trusted Advisor: not much help

12. Recommendations for Managing Access Control
Manage access efficiently
Define IAM policies for role-based access control
Attach policies to groups, and groups to users
Avoid resource="*" and "s3:*"
Use Bucket Policy only for „Everyone“ access
Restrict „delete bucket“ operations with MFA device:
1. “MFA delete” for root user
2. “aws:MultiFactorAuthPresent“ for IAM user
Rewrite all ACLs as Policies
Review „Who has access to what“
Repeat the access review with regular frequency

13. Recommendations: Legal Todos and Configuration
Legal Todos and Data Location
Sign the paper for EU model clauses and send to AWS
Choose location of bucket from legal considerations
Claim your bucket names in the global namespace
Websites
Every S3 bucket always responds like a website
DNS names customized via CNAMEs from Route53
Only with AWS CloudFront: your own domain with SSL
Recovery Strategies
Versioning, Replication, Lifecycle policies
Logging (into a S3 bucket)
www-style access logs: no guarantee, no cost
CloudTrail Data Level Events: full solution, with costs
URLs for website, browser-friendly, no SSL:
http://bucketname.s3-website-region.amazonaws.com/file.html
REST API endpoint with http/https, but not browser-friendly:
https://s3.region.amazonaws.com/bucketname/file.html
curl https://s3.amazonaws.com/elephant-ok/file.txt

14. Recommendation: Encryption and Key Management
Encryption
Data-in-transit: SSL, default sslEnabled = true
Data-at-rest: Attribute on object, no setting for the bucket:
Server-side AES-256 (on object)
Encryption transparent for the user enable it, at no cost
Protection against some threats inside AWS
Enabled on write. How to check later?
AWS Key Management Service (KMS)
More protection with key management (also transparent)
But additional risk of losing the key manage it
Client side encryption and your own key management
For backup, but difficult for most other use cases
Key Management in HSM
Device erases the keys when tampered with, your data lost

15. Security Operations
Service Dashboard
Current availability worldwide
Security Bulletins
AWS informs with Security Bulletins
(12 total in 2016, 1 with level „informational“ for S3)
Patching
AWS responsibility for patching S3 (Heartbleed)
Replaced OpenSSL (500.000) with s2n (6000 lines code)
Emergencies
Develop your own emergency plan
https://aws.amazon.com/security/security-bulletins/
23 Jan 2017: Shodan found almost 200.000
servers worldwide vulnerable to Heartbleed.
https://status.aws.amazon.com

16. Call to action: Be realistic about cloud consumption
Start governance of cloud usage
Constraints & Goals
Contracts, SLAs, Shared Responsibility Model
Strategy
Services, Security Policies, Architecture
Activities
Training, Security Procedures, Security Tools
Measure
Security Reviews
Measure
Strategy
Activities
GoalsBusiness

17. Luisenstr. 11, D-86415 Mering
es@elephantshop.net
+49 151 5875 0634
twitter: @ekkards
Dr. Ekkard Schnedermann
Founder Elephantshop
AWS Solution Architect,
CSK, CGEIT, CISA, CISSP
Thank You
for Your Attention