Why Amazon S3 is a ransomware target and how to protect it
Hacking continues to evolve. While Amazon S3 is a major ransomware target, admins can take steps in configuration and event logging, among other protection measures.
Amazon S3 is the de facto reference cloud object storage service. Unfortunately, so many organizations use S3 and store so much data in it that it is now also a major target for hackers.
While famous data leaks and breaches have made the news for years, threats have evolved to sophisticated ransomware attacks in which bad actors not only gain access to massive cloud data stores, but also encrypt them to hold them hostage. Once a hacker compromises a cloud storage admin account with basic settings, it can be straightforward to encrypt all the stored data, as well as download or delete it. The good news is that it is possible to ramp up S3 security to protect data from ransomware attacks.
Data leakage via public access
Early adopters of S3 had assumed that any data posted to an arbitrarily defined S3 bucket, the basic container of stored objects, would effectively be hidden from prying eyes. They reasoned that the global object namespace was too big and that the naming and paths to buckets and objects were too obscure.
However, for many years, S3 buckets were publicly visible by default if anyone knew or could guess the bucket's external URL. Today, relying on obscurity can fail because global-reach hackers crawl millions of potential bucket links per second and look for public URLs.
Amazon now recommends as best practice that all buckets deliberately block public access and only provide broader access to specific data as required. In fact, Amazon recently changed the default settings regarding Public Access and Object Ownership. All newly created S3 buckets are locked down as completely private by default. However, S3 admins still need to ensure existing buckets have their access permissions set appropriately.
Protect S3 from ransomware attacks
In order to delete or encrypt data in S3, hackers first aim to compromise an administrative account. Historically, many AWS clients created only a single cloud admin identity that organizations often shared internally for development, backup and production cloud usage. This unintentionally created a single large vulnerability that can persist to this day.
If a hacker compromises a central AWS admin identity, then all the stored data becomes truly vulnerable. The first step is to ensure there are multiple admin roles and isolated bucket permissions so that, for example, developer storage identities can't access production or backup storage buckets.
Make it a priority to configure separate, dedicated buckets for critical operations. Admins should configure primary storage critical buckets with versioning, such as object versioning, and multifactor requirement features, such as MFA delete, to provide for immediate recovery. Admins should assign hard immutability dates, such as Object Lock, to secondary storage objects. Both approaches can protect data from malicious activity even if hackers compromise admin credentials.
Who went where when?
With an enterprise amount of storage measured in the millions or billions of objects, it can seem impossible to audit and configure object settings. The good news is that Amazon provides a built-in storage console to manage configuration issues across all buckets called S3 Storage Lens. This free dashboard has 15-minute granularity views across organizations, accounts and buckets of any size. Storage Lens can quickly check up on encryption, replication, storage costs, object versioning and other settings.
Enterprises should also turn on AWS CloudTrail event logging to provide a thorough audit trail of all storage activity. Storage logs are invaluable in data loss prevention, as well as forensic analysis in the case of malicious activity. In addition, Amazon offers a cost-effective GuardDuty service that automatically analyzes CloudTrail logs and other data to proactively identify hacking attempts of all kinds across the entire AWS environment. Turn on GuardDuty if there are no other enterprise security monitoring measures.
Other storage management
If revamping S3 configurations, set up additional private key encryption for key buckets, replicate objects across AWS zones for resilience, regularly prune unused or orphaned objects -- and whole buckets -- and use intelligent-tiered S3 storage settings to help control costs.
All these activities also enhance the security profile and make it harder for hackers to take data hostage.
If admins lock down S3 directly, other ransomware entry points into storage could still include compromised web services, corrupted databases and third-party services.
For example, expect more sophisticated attacks where hackers attempt to implant malicious code into upstream repositories or replace machine images to infiltrate across the compute environment and get to critical data.