AWS adds default encryption to leaky S3 buckets

Amazon addresses spate of data breaches affecting S3 customers

Amazon Web Services (AWS) has finally addressed multiple data breaches resulting from unencrypted S3 buckets, adding basic protections to its cloud storage service.

The AA, Accenture, Verizon, Dow Jones and even the WWE are among a spate of companies that have suffered data leaks because they haven't secured their S3 storage, which AWS didn't encrypt by default.

Yet when Cloud Pro asked AWS what steps customers could take to mitigate the threat last week, it offered no comment.

The cloud giant's blog post this week did, however, with chief evangelist Jeff Barr outlining some new features customers can use to secure S3 buckets that are available now free of charge.

Amazon cloud customers can finally choose to encrypt their buckets by default, mandating that any objects entering a bucket must be stored in encrypted form, instead of having to adopt AWS's former policy that meant the bucket simply rejects unencrypted objects.

"While this helps them to meet their requirements, simply rejecting the storage of unencrypted objects is an imperfect solution," admitted Barr.

Instead, "if an unencrypted object is presented to S3 and the configuration indicates that encryption must be used, the object will be encrypted using [the] encryption option specified for the bucket," he explained.

There are three server-side encryption options available; SSE-S3, where the bucket manages the encryption keys; SSE-KMS, where AWS's Key Management Service looks after them; and SSE-C, where the user holds the keys.

AWS appears to have made it simple to enable encryption, too, with users wishing to create a new bucket on the S3 console just having to type the bucket's name, then hit 'Next', before selecting 'Default encryption' and choosing what kind they require.

The ribbed back of the Toshiba Tablet

Customers can secure existing buckets via a call to the PUT Bucket Encryption function, via an SSL connection and signing it off using AWS Signature Version 4.

Those who copy some mission-critical objects across to buckets in separate AWS accounts can toggle the destination buckets' encryption policies too, to ensure the data remains encrypted.

Bright orange icons reading 'Public' also denote any buckets that aren't encrypted in the S3 Console.

AWS has also included a warning sign when users click on a public-facing bucket's permissions to say "we highly recommend that you never grant any kind of public access to your S3 bucket".

The Toshiba Tablet

While the changes are now live and available today, AWS will charge customers as normal for any data transfers and calls to the Key Management Service and S3.

Main image credit: Bigstock

Body copy images credit: AWS

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

27 Jan 2021
Mimecast links breach to SolarWinds hackers
Security

Mimecast links breach to SolarWinds hackers

27 Jan 2021
TikTok vulnerability exposed private user data
data protection

TikTok vulnerability exposed private user data

26 Jan 2021
SonicWall hacked via zero-day flaw in remote access tools
Security

SonicWall hacked via zero-day flaw in remote access tools

25 Jan 2021

Most Popular

WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021