How to Prevent RNC, Verizon, and Dow Jones AWS S3 Data Leaks
By now, you’ve probably heard of the 2.1 million customers data leaked at the highly esteemed WSJ parent company Dow Jones. In fact, in the last few weeks alone, three such incidents at the Republican National Committee, Verizon and Dow Jones have exposed more than 216 million records!
With all the talks of ransomware (e.g. WannaCry) and 0-day vulnerabilities, it can be easy to forget that 14% of security incidents are due to configuration errors (see Summary of Verizon DBIR 2017) leaving the door wide open for the bad guys.
In the case of Dow Jones, an employee accidentally set read permissions of the S3 bucket in question to 'all authenticated users'. Meaning that anyone with a valid AWS login could access the data. Furthermore, the downloading of a large amount of sensitive data not only went undetected, but the data was also stored unencrypted in cleartext.
For this post, our focus is to share a few of the controls you can use to ensure you do not wake up to find yourself making the headlines for the wrong reason.
Use CloudTrail to Enable Monitoring
You can use CloudTrail to enable monitoring so that access to sensitive files by unapproved IP addresses or IP ranges generates an alert. If you have sensitive data stored in S3 and have a reasonable idea of the IP addresses that access it, it's a cheap way to detect something that is wrong.
Use Lambda to Monitor S3 Bucket Permissions
At AWS Re:Invent 2016, I watched a talk about using AWS Lambda to enforce certain security controls. For example if someone turns off CloudTrail, it will turn it back on. If a developer launches an EC2 instance in an unapproved region, it will terminate it. So it wouldn't be hard to create a function that, when a new bucket is created or a bucket is modified, the Lambda function checks the permissions on the bucket. If the bucket is configured with permissions that are too permissive (e.g. open to everyone or all authenticated users), the Lambda function would apply the correct permissions.
3rd Party Solutions
One commercial solution we like is ThreatStack. ThreatStack automates a lot of CloudTrail alerting and makes life easy. Don't want to write a Lambda function? Just quickly create an alert in ThreatStack. We are also big Splunk fans. Running an AWS infrastructure generates a lot of data. Running that infrastructure with all kinds of logging enabled generates a TON of data. You are going to need a tool to search and take action on that data.
These are only a few of the controls we used to secure our SaaS in AWS for 5 years and did right by our customers. Check out our series What we learned about cloud security running a SaaS in AWS for 5 years.