![](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/devops\/21\/e\/how-to-improve-security-for-amazon-s3-buckets\/how-to-improve-security-for-amazon-s3-buckets.jpg\")
<\/p>\n<\/p>\n
<\/div>\nOverview<\/span><\/b><\/p>\n Since 2006, Amazon Web Services (AWS) has provided object storage to make web-scale computing easier. This service enables organizations of any size or industry to store large troves of data for websites, mobile applications, disaster recovery, and whatever else the business requires.<\/p>\n Recently, Hobby Lobby<\/a>, a prolific American arts and crafts enterprise had 138GB of data, including payment card info and physical addresses, plucked out of an open Amazon S3 bucket. Events like this impact the entire organization\u2014including developers, who are responsible for remediating misconfigurations.<\/p>\n This article explores how to avoid post-deployment headaches by increasing the security of your Amazon S3 buckets and the objects stored within during the early phases of development.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n The shared responsibility model<\/b><\/p>\n As with all cloud environments, you\u2019re responsible for what you store<\/b> in it. This is part of the shared responsibility model<\/a>\u2014meaning that the cloud service provider (CSP) is responsible for the overall security of the infrastructure that runs all of the services, but the user is responsible for securing any data or objects within that environment.<\/p>\n Seems a little vague, right? The level of responsibility assigned to customers and CSPs based on the type of cloud service being consumed across software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS). Here\u2019s an example of the shared responsibility model for AWS:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n As a user of Amazon S3, it is your responsibility to consider the following security requirements:<\/p>\n You may have a couple of questions: How do you audit and validate that these security policies and controls are implemented across all your Amazon S3 buckets? Do users have visibility of any changes that might occur within this and other cloud services that would indicate a policy and\/or compliance violation? How can you remediate a violation without disrupting your workflow? How do you integrate an extra layer of security to scan for malicious content coming into your Amazon S3 bucket?<\/p>\n These are great questions to ask, and we have some insights for you. Let\u2019s dive into some tools and solutions that can provide you with maximum visibility into your cloud risk posture as well as remediation advice.<\/p>\n What\u2019s \u201cshift left\u201d?<\/span><\/b><\/p>\n All of our suggestions enable your security approach to \u201cshift left.\u201d Essentially, this means moving your security scans, audits, or thingamajigs to the front of your pipeline. The benefits of catching security issues at the onset are huge: it helps save time, money, and it reduces risks to the business. By introducing security checks and validation at the first step in the infrastructure build process (IaC templates), you can reduce friction for the development and operations team\u2014who doesn\u2019t want that?!<\/p>\n This all sounds great in theory, but you may be wondering what exactly<\/i> are you looking for, or what should<\/i> you be keeping an eye on? Misconfigurations are the number one risk<\/a> to cloud environments. Therefore, you should pay extra attention to monitoring for any possible errors.<\/p>\n This may sound like a lot of work that eats time from building, but there\u2019s cloud security posture management (CSPM) tools that can help monitor for misconfigurations in real-time across all your Amazon S3 buckets and other AWS services. It\u2019s ideal that the CSPM you choose embraces the \u201cshift-left\u201d security approach by integrating into the infrastructure as code (IaC) with AWS CloudFormation templates. This will allow you to identify and detect any possible misconfigurations in the earliest stage of development.<\/p>\n Okay, now to the good stuff\u2014here\u2019s how a CSPM tool such as Trend Micro Cloud One\u2122 can help you shift-left and effectively secure your Amazon S3 buckets so it\u2019s smooth sailing from build time to run time.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n FYI\u2014If you are interested in creating your environment, here is a Git repository with CloudFormation to automate this process for you: <\/i>https:\/\/github.com\/fernandostc\/AWS_IaC_pipeline_with_Security<\/i><\/a><\/i><\/p>\n Integrated Development Environment (IDE) security plugin<\/span><\/b><\/p>\n You can streamline the entire audit process by choosing a CSPM that uses an IDE security plug-in. This is designed to quickly get real-time feedback for developers in the IaC template, so they can scan and fix issues in their current IDE workspace as early as possible. By doing so, developers can prevent misconfigurations across different AWS services and build in accordance with the AWS Well-Architected Framework.<\/p>\n Below is an example of a template scanning report generated by a security plugin, which shows potential risks found in your pipeline. This helps you identify what needs to be fixed before you start building with it in production.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Link to VSCode plugin: Cloud Conformity Template Scanner Extension<\/a><\/p>\n How do template scanners work?<\/span><\/b><\/p>\n Think of template scanning as body scanners at the airport\u2014it\u2019s similar in the way it provides enhanced visibility into any risks or threats that may not be caught with the human eye. Template scanning is especially necessary if you use open source code repositories to build (which 90% of developers do, according to Gartner<\/a>).<\/p>\n Template scanners use powerful APIs within your CSPM tool to provide automated, real-time checks every time you push a new template. It also shares the results with developers and cloud architects, so they can investigate any potential issues before production. Auto-remediation allows you to continue building at lightning speed. For example, you can configure settings so that if the scan finds an \u201cExtreme\u201d or \u201cHigh-risk\u201d issue for example, the CSPM will stop the deployment of the new infrastructure and notify the development team through Slack, Jira, ServiceNow, PagerDuty, and other third-party notification tools.<\/p>\n The example below shows how you can detect any misconfiguration on Amazon S3 buckets during the CI\/CD pipeline before you build the CloudFormation template in your AWS account:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Introducing Trend Micro Cloud One\u2122 \u2013 Conformity<\/span><\/b><\/p>\n As part of the Trend Micro Cloud One\u2122<\/a> platform, Trend Micro Cloud One\u2122 \u2013 Conformity<\/a> is a CSPM solution that seamlessly integrates into your CI\/CD pipeline to detect misconfiguration in multiple CSPs. It\u2019s designed to overcome any visibility or security risk challenges by running auto-checks against hundreds of cloud infrastructure configuration best practices and compliance standards including PCI-DSS, HIPAA, HITRUST, NIST-800-53, and more. The solution also ensures fast remediation by providing instant alerts and remediation steps when critical misconfigurations are detected.<\/p>\n With Conformity, organizations receive a comprehensive picture of security and compliance risks across all cloud environments. Below is an example of the insight Conformity provides your Amazon S3 buckets after checking them against the AWS Well-Architected Framework, compliance standards, and other best practice guidelines.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Reminder: Double-check what\u2019s going in your Amazon S3 buckets<\/span><\/b><\/p>\n But wait\u2014there\u2019s more! As we mentioned earlier, it\u2019s critical to scan what is going into your bucket as well. By scanning any file before its uploaded, you can prevent malware from entering your organization and impacting downstream workflows or infecting external web applications.<\/p>\n Trend Micro Cloud One\u2122 \u2013 File Storage Security<\/a> complements Conformity by making sure the files going inside the bucket are safe as well as helping you stay compliant by keeping your files and data within your AWS account during scanning.<\/p>\n Below is a diagram showing the journey of a file through File Storage Security before receiving the stamp of approval.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Next, it\u2019s important to have a post-scan game plan for flagged files. By setting up post-scan actions, File Storage Security will automate the incident and response use cases for possible malicious objects. Post-scan actions can include quarantining the file in your account but away from your application or terminating the file outright. Here is an example of scan results of a file\u2014the \u201cmalicious\u201d tag will trigger the appropriate post-scan action.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n You also have centralized visibility about the number of objects you have scanned and how many those files have been recognized as malicious. Here is an example of such on the dashboard in Trend Micro Cloud One:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n By automating the file scanning process, you\u2019re eliminating the possibility of human interaction which in return increases the level of security and compliance within your Amazon S3 buckets. Some other benefits of File Storage Security are:<\/p>\n Demo: Happy Path<\/span><\/b><\/p>\n In this real-life example, we\u2019ll put all the pieces together and show you how Conformity and File Storage Security can apply to your web applications using AWS services.<\/p>\n James Beswick<\/a>, principal developer advocate for the AWS Serverless Team, demonstrated how to create a new web application called Happy Path<\/a> using AWS Lambda, Amazon S3 buckets, AWS Step Functions, and other AWS services. Check out the backend architecture below or view the Git repository here<\/a>. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n Source: https:\/\/aws.amazon.com\/blogs\/compute\/using-serverless-backends-to-iterate-quickly-on-web-apps-part-2\/<\/a><\/p>\n Imagine you have a fully automated IaC pipeline to build the Happy Path architecture and want to ensure its as secure as possible before its deployed. You can improve this environment by integrating Conformity (CSPM with IDE plugin) to check how it stacks up against the AWS Well-Architected Framework and if its meeting compliance. This will give you real-time feedback about any possible updates or improvements you can implement on your cloud infrastructure. See below:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n To take Happy Path to the next level security-wise, you need to integrate additional protection for the files being uploaded into the Amazon S3 bucket. Unlike other AWS services, Trend Micro Cloud One solutions, Conformity and File Storage Security, detect misconfigurations of the Amazon S3 buckets, and<\/i> the files uploaded within it before an event is triggered by Lambda. This is important because if the file is unscanned before moved elsewhere by a Lambda function, it could spread malicious malware throughout your entire infrastructure.<\/p>\n The grey box in the diagram below demonstrates where you could integrate File Storage Security so that any new object is automatically scanned and if tagged as malicious (or your tag of choice) will be moved to a quarantine bucket. Alternatively, if the file is determined to be safe, it will move to a promote bucket. By integrating File Storage Security into the Happy Path architecture, you can ensure that your application is processing safe documents and objects before they\u2019re shared with your customer or partners.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Conclusion<\/span><\/b><\/p>\n In order to build securely, you must consider the AWS shared responsibility model, so you can be fully aware of your security responsibilities for each AWS service. Knowing what role you play and choosing the appropriate CSPM vendor allows you to get the best out of all the AWS-native services that integrate smoothly within your architecture.<\/p>\n As the gatekeeper of what goes in and out of your buckets, it\u2019s ideal to implement real-time scans to inspect those buckets for malware and misconfigurations so they\u2019re detected before they can impact business processes. The advanced capabilities of Conformity and File Storage Security automatically identify and eliminate malicious content and enable you to plug configurations that may grant too much access. This is key to reduce disruptions and prevent criminal activity\u2014which, just like a data leak, can have critical consequences for the business.<\/p>\n Get started with a free 30-day trial<\/u><\/a> or check out our additional resources below.<\/p>\n Security Best Practices and Guidelines for Amazon S3:<\/span><\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n\n\n\n\n\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n\n\n\n\n\n