AWS offers a complete range of cloud storage services to help you meet your application and archival compliance requirements. Some of the AWS storage services for common industry use are:
- Object storage using Amazon Simple Storage Service (Amazon S3)
- File storage using Amazon Elastic File System (Amazon EFS)
- Block storage using Amazon Elastic Block Store (Amazon EBS)
- Archive using Amazon S3 Glacier
- Hybrid storage using AWS Storage Gateway
An example using S3 and EBS is given.
Security Model
AWS shared responsibility model, where security and compliance is a shared responsibility between AWS and you as the AWS customer, is consistent with OCIE recommendations for ownership and accountability, and use of all available security features.
A lack of clear understanding of the shared responsibility model can result in missed controls or unused security features. Clarifying and operationalizing this shared responsibility model and shared controls helps enable the controls to be applied to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives.
Security of the cloud – AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS cloud.
Security in the cloud – Your responsibility as a user of AWS is determined by the AWS cloud services that you select. This determines the amount of configuration work you must perform as part of your security responsibilities. You’re responsible for managing data in your care (including encryption options), classifying your assets, and using IAM tools to apply the appropriate permissions.
Misconfiguration – Monitor, detect, and remediate misconfiguration with AWS cloud storage services
Monitoring, detection, and remediation are the specific areas noted by the OCIE. Misconfiguration of settings results in errors such as inadvertent public access, unrestricted access permissions, and unencrypted records. Based on your use case, you can use a wide suite of AWS services to monitor, detect, and remediate misconfiguration.
IAM
Access analysis via AWS Identity and Access Management (IAM) Access Analyzer – Identifying if anyone is accessing your resources from outside an AWS account due to misconfiguration is critical. Access Analyzer identifies resources that can be accessed without an AWS account.
IAM Access Analyzer continuously monitors for new or updated policies, and it analyses permissions granted using policies for Amazon S3 buckets, AWS Key Management Service (AWS KMS) and AWS IAM roles (see IAM Access Analyzer flags unintended access to S3 buckets shared through access points).
Trusted Advisor
Actionable security checks via AWS Trusted Advisor. Unrestricted access increases opportunities for malicious activity such as hacking, denial-of-service attacks, and data theft. Trusted Advisor posts security advisories that should be regularly reviewed and acted on. Trusted Advisor can alert you to risks such as Amazon S3 buckets that aren’t secured and Amazon EBS volume snapshots that are marked as public. Bucket permissions that don’t limit who can upload or delete data create potential security vulnerabilities by allowing anyone to add, modify, or remove items in a bucket. Trusted Advisor examines explicit bucket permissions and associated bucket policies that might override the bucket permissions. It also checks security groups for rules that allow unrestricted access to a resource.
Encryption
Encryption via AWS Key Management Service (AWS KMS). Simplifying the process to create and manage encryption keys is critical to configuring data encryption by default. You can use AWS KMS master keys to automatically control the encryption of the data stored within services integrated with AWS KMS such as Amazon EBS and Amazon S3. AWS KMS gives you centralized control over the encryption keys used to protect your data. AWS KMS is designed so that no one, including the service operators, can retrieve plaintext master keys from the service.
The service uses FIPS140-2 validated hardware security modules (HSMs) to protect the confidentiality and integrity of keys. For example, you can specify that all newly created Amazon EBS volumes be created in encrypted form, with the option to use the default key provided by AWS KMS or a key you create. Amazon S3 inventory can be used to audit and report on the replication and encryption status of objects for business, compliance, and regulatory needs.
Monitor, Audit
Continuous monitoring and regular assessment of control environment changes and compliance are key to data storage oversight. They help you validate whether security and access settings and permissions across your organization’s cloud storage are in compliance with your security policies and flag non-compliance. For example, you can use AWS Config or AWS Security Hub to simplify auditing, security analysis, monitoring, and change management.
Configuration compliance monitoring via AWS Config – You can use AWS Config to assess how well your resource configurations align with internal practices, industry guidelines, and regulations by providing a detailed view of the configuration of AWS resources including current, and historical configuration snapshot and changes.
AWS Config managed rules are predefined, customizable rules to evaluate whether your AWS resources align with common best practices. Config rules can be used to evaluate the configuration settings, detect and remediate violation of conditions in the rules, and flag non-compliance with internal practices. This helps demonstrate compliance against internal policies and best practices, for data that requires frequent audits.
Set up a managed rule to quickly assess whether your EBS volumes are encrypted or whether specific tags are applied to your resources. Another example of AWS Config rules is on-going detective controls that check that your S3 buckets don’t allow public read access. The rule checks the block public access setting, the bucket policy, and the bucket access control list (ACL). You can configure the logic that determines compliance with internal practices, which lets you automatically mark IAM roles in use as compliant and inactive roles as non-compliant.
Automated compliance checks via AWS Security Hub – Security Hub eliminates the complexity and reduces the effort of managing and improving the security and compliance of your AWS accounts and workloads. It helps improve compliance with automated checks by running continuous and automated account and resource-level configuration checks against the rules in the supported industry best practices and standards, such as the CIS AWS Foundations Benchmarks.
Security Hub insights are grouped findings that highlight emerging trends or possible issues. For example, insights help to identify Amazon S3 buckets with public read or write permissions. It also collects findings from partner security products using a standardized AWS security finding format, eliminating the need for time-consuming data parsing and normalization efforts. To learn more about Security Hub, see AWS Foundational Security Best Practices standard now available in Security Hub.
Security and compliance reports via AWS Artifact – As part of independent oversight, third-party auditors test more than 2,600 standards and requirements in the AWS environment throughout the year. AWS Artifact provides on-demand access to AWS security and compliance reports such as AWS Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies that validate the implementation and operating effectiveness of AWS security controls. You can access these attestations online under the artifacts section of the AWS Management Console.
Data Protection, LCM
It’s important to classify institutional data to support application of the appropriate level of security. Data discovery and classification enables the implementation of the correct level of security, privacy, and access controls. Discovery and classification are highly complex given the volume of data involved and the tradeoffs between a strict security posture and the need for business agility.
Controls via S3 Block Public Access – S3 Block Public Access can help controls across an entire AWS Account or at the individual S3 bucket level to ensure that objects do not have public permissions. Block Public Access is a good second layer of protection to ensure you don’t’ inadvertently grant broader access to objects than intended. To learn more about using S3 Block Public Access, see Learn how to use two important Amazon S3 security features – Block Public Access and S3 Object Lock.
S3 configuration monitoring and sensitive data discovery via Amazon Macie – You can use Macie to discover, classify, and protect sensitive data like personally identifiable information (PII) stored in Amazon S3. Macie provides visibility and continuous monitoring of S3 bucket configurations across all accounts within your AWS Organization, and alerts you to any unencrypted buckets, publicly accessible buckets, or buckets shared or replicated with AWS accounts outside your organization. For buckets you specify, Macie uses machine learning and pattern matching to identify objects that contain sensitive data. When sensitive data is located, Macie sends findings to EventBridge allowing for automated actions or integrations with ticketing systems. To learn more about using Macie, see Enhanced Amazon Macie.
WORM data conformance via Amazon S3 Object Lock – Object Lock can help you meet the technical requirements of financial services regulations that require write once, read many (WORM) data storage for certain types of books and records information. To learn more about using S3 Object Lock, see Learn how to use two important Amazon S3 security features – Block Public Access and S3 Object Lock.
Alerts via Amazon GuardDuty – GuardDuty is designed to raise alarms when someone is scanning for potentially vulnerable systems or moving unusually large amounts of data to or from unexpected places. To learn more about GuardDuty findings, see Visualizing Amazon GuardDuty findings.
Note: AWS strongly recommends that you never put sensitive identifying information into free-form fields or metadata, such as function names or tags. The reason being any data entered into metadata might be included in diagnostic logs.
Effective configuration management program features, and practices
OCIE also noted effective industry practices for storage configuration, including:
- Policies and procedures to support the initial installation and ongoing maintenance and monitoring of storage systems
- Guidelines for security controls and baseline security configuration standards
- Vendor management policies and procedures for security configuration assessment after software and hardware patches
In addition to the services already covered, AWS offers several other services and capabilities to help you implement effective control measures.
Security assessments using Amazon Inspector – You can use Amazon Inspector to assess your AWS resources for vulnerabilities or deviations from best practices and produce a detailed list of security findings prioritized by level of severity. For example, Amazon Inspector security assessments can help you check for unintended network accessibility of your Amazon Elastic Compute Cloud (Amazon EC2) instances and for vulnerabilities on those instances. To learn more about assessing network exposure of EC2 instances, see A simpler way to assess the network exposure of EC2 instances: AWS releases new network reachability assessments in Amazon Inspector.
Configuration compliance via AWS Config conformance packs – Conformance packs help you manage configuration compliance of your AWS resources at scale—from policy definition to auditing and aggregated reporting—using a common framework and packaging model. This helps to quickly establish a common baseline for resource configuration policies and best practices across multiple accounts in your organization in a scalable and efficient way. Sample conformance pack templates such as Operational best practices for Amazon S3 can help you to quickly get started on evaluating and configuring your AWS environment. To learn more about AWS Config conformance packs, see Manage custom AWS Config rules with remediations using conformance packs.
Logging and monitoring via AWS CloudTrail – CloudTrail lets you track and automatically respond to account activity that threatens the security of your AWS resources. With Amazon CloudWatch Events integration, you can define workflows that execute when events that can result in security vulnerabilities are detected. For example, you can create a workflow to add a specific policy to an Amazon S3 bucket when CloudTrail logs an API call that makes that bucket public. To learn more about using CloudTrail to respond to unusual API activity, see Announcing CloudTrail Insights: Identify and Respond to Unusual API Activity.
Machine learning based investigations via Amazon Detective– Detective makes it easy to analyse, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that helps you to conduct faster, more efficient security investigations. To learn more about Amazon Detective based investigation, see Amazon Detective – Rapid Security Investigation and Analysis.
==END