Data has replaced out as the world’s most valuable resource, according to the Economist. And yet, many companies don’t take the most basic steps to safeguard that data.
A case in point: Numerous companies — from Accenture to Verizon — have suffered data leaks amid erroneous Amazon Web Services (AWS) cloud settings. Generally speakings, the leaks involved employees or consultants who didn’t properly set up the cloud accounts.
Now, Amazon is taking steps to eliminate such risks by launching new default settings and capabilities for AWS’s Simple Storage Service (S3). The five new features are designed to make it easier for customers to manage the encryption status and access permission of their S3 buckets, according to Jeff Barr, chief evangelist for AWS.
1. Default Encryption – Customers can now mandate that all objects in a bucket must be stored in encrypted form without having to construct a bucket policy that rejects objects that are not encrypted.
This particularly helps those customers that need to meet compliance requirements, according to Barr. “If an unencrypted object is presented to S3 and the configuration indicates that encryption must be used, the object will be encrypted using encryption option specified for the bucket,” he writes.
2. Permission Checks – The S3 Console now displays a prominent indicator next to each S3 bucket that is publicly accessible.The combination of bucket policies, bucket ACLs (Access Control List), and Object ACLs gives users more control over access to their buckets and the objects within, Barr asserts.
3. Cross-Region Replication ACL Overwrite – When replicating objects across AWS accounts, customers can now specify that the object gets a new ACL that gives full access to the destination account.
“We’re making this feature even more useful by allowing you to enable replacement of the ACL as it is in transit so that it grants full access to the owner of the destination bucket,” Barr says. “With this change, ownership of the source and the destination data is split across AWS accounts, allowing you to maintain separate and distinct stacks of ownership for the original objects and their replicas.”
4. Cross-Region Replication with KMS – Customers can now replicate objects that are encrypted with keys that are managed by AWS Key Management Service (KMS).
Barr says replicating objects that have been encrypted using SSE-KMS across regions presents a unique challenge. KMS keys are specific to a particular region, so replicating them won’t work. “You can now choose the destination key when you set up cross-region replication. During the replication process, encrypted objects are replicated to the destination over an SSL connection. At the destination, the data key is encrypted with the KMS master key you specified in the replication configuration. The object remains in its original, encrypted form throughout; only the envelope containing the keys is actually changed,” he says.
5. Detailed Inventory Report: The S3 Inventory report now includes the encryption status of each object. The report itself can also be encrypted.
According to Barr, all of the features are available immediately at no extra cost.
We’ll be watching to see if or how the new capabilities reduce or eliminate erroneous user settings that cause data leaks. We’ll also be tracking additional Amazon cloud news at next week’s AWS re:Invent 2017 conference.