On Monday, Amazon announced five new security features for its Simple Storage Service (S3) to help customers store and manage their data in a more secure manner.
The new features will help customers better manage the encryption status and access permissions of their S3 buckets, according to a blog post from Jeff Barr, chief evangelist for AWS. They are now available for all S3 customers at no additional charge.
The new security options include:
1. Default encryption
“You can now mandate that all objects in a bucket must be stored in encrypted form by installing a bucket encryption configuration,” Barr wrote. “If an unencrypted object is presented to S3 and the configuration indicates that encryption must be used, the object will be encrypted using encryption option specified for the bucket (the PUT request can also specify a different option).”
Three server-side encryption options are available for a user’s S3 objects: SSE-S3 (with keys that are managed by S3), SSE-KMS (with keys that are managed by AWS KMS), and SSE-C (with keys that are managed by the user).
SEE: Complete IT Cloud Security & Hacking Training (TechRepublic Academy)
2. Permission checks
The S3 Console now shows an indicator next to each S3 bucket that is publicly accessible. This will help users see the impact of the changes they make to their bucket policies and ACLs as soon as they make them. “You will know right away if you open up a bucket for public access, allowing you to make changes with confidence,” Barr wrote.
3. Cross-region replication ACL overwrite
AWS customers often use S3’s Cross-Region Replication tool to copy mission-critical objects and data to a destination bucket in a separate AWS account, Barr wrote. Along with copying that object, the process also copies the object ACL and any associated tags. With this new feature, when a user replicates objects across AWS accounts, they can now specify that the object gets a new ACL that gives full access to the destination account. This allows users to maintain separate and distinct stacks of ownership for the original objects and their replicas, Barr wrote.
4. Cross-region replication with KMS
Customers can now choose the destination key when they set up cross-region replication with AWS Key Management Service (KMS), so during the process encrypted objects are replicated to the destination over an SSL connection. Once they arrive at the destination, the data key is encrypted with the KMS master key that a user specified in the replication configuration. “The object remains in its original, encrypted form throughout; only the envelope containing the keys is actually changed,” Barr wrote.
5. Detailed inventory report
The S3 Inventory report now includes the encryption status of each object. Users can also request SSE-S3 or SSE-KMS encryption for the report itself, Barr wrote.
The updates could help prevent data leaks. Some 53% of organizations using cloud storage services like Amazon S3 have unintentionally exposed one or more such service to the public, according to a report from RedLock. One recent data breach at Dow Jones exposed data including names, addresses, and partial credit card numbers from millions of customers, after the company chose the wrong permission settings for its S3 data repository, according to an UpGuard report.