Amazon Web Services (AWS) S3 has at least 185,000 websites running inside it. To make it more secure, Amazon announced five security updates to its Simple Storage Service (S3) web servers.
The focus of the update, is to help 'lazy' administrators. More than 53 percent of cloud service administrators have unintentionally exposed their company’s data to the internet. Considering that Amazon's S3 is one of the popular choice out there, this is certainly a much needed update.
The five update includes:
- Default Encryption: Users can mandate that all objects in a bucket must be stored in encrypted form without having to construct a bucket policy that rejects objects that aren't encrypted.
- Permission Checks: The S3 Console displays a prominent indicator next to each S3 bucket that is publicly accessible.
- Cross-Region Replication ACL Overwrite: When users replicate objects across AWS accounts, they can specify that the object gets a new ACL that gives full access to the destination account.
- Cross-Region Replication with KMS: Users can replicate objects that are encrypted with keys that are managed by AWS KMS (Key Management Service).
- Detailed Inventory Report: The S3 Inventory report includes the encryption status of each object. The report can also be encrypted.
While Skyhigh Networks said that 4 percent of AWS customers were vulnerable to GhostWriter attacks (attacks on misconfigured S3 buckets ), the biggest problem with AWS is mostly human related.
According to a report, from RedLock, about 53 percent of organizations using cloud storage services like Amazon S3 have unintentionally exposed one or more such service to the public.
One recent data breach exposed data including names, addresses, and partial credit card numbers from millions of customers. That happened after the company chose the wrong permission settings for its S3 data repository.
The update is necessary as these would check and encrypt any file entering an S3 bucket, the basic unit of storage in S3. This would help in preventing data leaks caused by human error. And if anything goes wrong, customers can take advantage of a warning system that will notify them if they make a configuration change that leaves data unprotected.
According to a blog post from Jeff Barr, chief evangelist for AWS, the updates are available for all S3 at no additional charge.