Deep Dive on Amazon S3 Security and Management (E2471STG303-R1) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Deep Dive on Amazon S3 Security
and Management
PD Dutta
Sr. Product Manager
Amazon S3
S T G 3 0 3 R 1
Christopher Schultz
Director, Software Engineering
Capital One

Agenda
Amazon Simple Storage Service (Amazon S3) access control mechanisms
Amazon S3 Block Public Access
How Amazon S3 authorizes a request
Amazon S3 encryption
Monitoring security in Amazon S3
Special guest – Chris Scultz, Director-Software Engineering, Capital One

Related sessions
Thursday, Nov 29
STG213-L: Leadership Session: Why AWS Storage for Analysis and Lift-and-
Shift Migrations
1:45 p.m. – 2:45 p.m. | Venetian, Level 2, Venetian Theatre
Wednesday, Nov 28
STG379-R3: [REPEAT 3] Chalk Talk: Deep Dive on Security in Amazon S3 &
Amazon Glacier
1:00 p.m. – 2:00 p.m. | Aria West, Level 3, Starvine 7
Friday, Nov 30
STG203-R2 - [REPEAT 2] Best Practices for Amazon S3 and Amazon Glacier
11:30 a.m. – 12:30 p.m. | Mirage, Montego D

How can I help ensure the files in my Amazon S3
bucket are secure?
• Least privilege - Security best practice
• Start with a minimum set of permissions
• Grant additional permissions as necessary
• Defining the right set of permissions requires some research
• What actions a particular service supports?
• What is required for the specific task?
• What permissions are required in order to perform those actions?

Amazon S3 access control mechanisms
• AWS Identity and Access Management (IAM) policies
• Amazon S3 bucket policy
• Amazon S3 access control lists (ACLs)
• Amazon S3 VPCE policy
• Pre-Signed URLs

Let’s start with IAM
1. Principal
AWS
Management
Console
API / CLI

• “What can this user do in
AWS?”
• You prefer to keep access
control policies in IAM
environment
• Controls all AWS Services
• “Who can access this S3
resource?”
• You prefer to keep access
control policies in S3
environment
• Grant cross-account access to
your S3 bucket without using
IAM roles
IAM user policy Amazon S3 Bucket policy
User policy vs. resource policies

{
"Version":"2012-10-17",
"Statement":[
{
”Sid":"Allow-write-and-read",
"Effect": ”Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
],
"Resource":"arn:aws:s3:::reinventbucket/*
"
}
]
}
{
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Sid": ”Allowing Read Permission",
"Effect": "Allow",
"Principal": {"AWS":"1111111111"},
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::
reinventbucket /*”],
"Condition": {"StringEquals":
{"s3:ExistingObjectTag/Project": "X"}}
}
]
}
Bucket policy allows principal from AWS Account
1111111111 to read objects from reinventbucket, but
condition limits it to objects that have a specific Tag value
IAM user policy Amazon S3 Bucket policy
User policy allows this particular user to PUT and GET
objects into the reinventbucket

Amazon S3 Access Control Lists (ACLs)
• ACLs only grant access (cannot explicitly deny)
• Written in XML format
• Has predefined groups like “All Users”, ”Any Authenticated User”
• Tip: Use caution when using these groups
• Finite set of permissions compared to policies
• For example, READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
• Preferably use bucket policies vs. bucket ACLs

Amazon S3 Virtual Private Cloud Endpoint (VPCE)
Prior to Amazon S3 VPCE Using Amazon S3 VPCE
• Public IP on Amazon Elastic Compute Cloud
(Amazon EC2) Instances and Internet Gateway
• Private IP on Amazon EC2 Instances and NAT
• Access S3 using S3 Private Endpoint without
using NAT instances or gateways
• Restrict access to S3 bucket from outside of VPC
Amazon
S3
Amazon S3
VPC NAT
gateway
Amazon
EC2
Amazon
EC2
Amazon
EC2
Internet Internet
Internet
gateway

Example: Restricting access to a specific bucket
{ "Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": {"AWS":"1111111111"},
"Action": [ "s3:GetObject, s3:PutObject",
"Effect": ”Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
}
]
}

Example: Restricting access to principals in your organization
{
"Version": "2012-10-17",
"Statement": {
"Sid": ”Principals-only-from-my-Org",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:putobject",
"Resource":["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"],
"Condition": {"StringEquals":
{"aws:PrincipalOrgID":["o-xxxxxxxxxxx"]}
}
}
}

Example: Restricting access to a specific endpoint
{ "Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-1a2b3c4d"
}
}
} ] }

Pre-signed URLs
• Uses permissions of the IAM user/role
who creates the URL
• To generate URL, provide your
security credentials, a bucket name,
an object key, HTTP method (GET or
PUT) and expiration date and time
• Only valid until expiration time
• Caution: Anyone with URL can
perform those actions
Availability
Zone #1
EC2 instance
Generates
URL
S3
Request Access
Get/Put
Object

What is public access?
• Any anonymous or overly permissive access is considered public access
• Access control lists (ACLs) with grantees such as
• All Users – Anyone on the Internet
• Any authenticated user – Anyone with an AWS account
• Public bucket policy with overly permissive access, for example
• { “Principal”: “*”, “Resource”: “*”, “Action”: “s3:PutObject”, “Effect”: “Allow” }
• {“Principal”: “*”, “Resource”: “*”, “Action”: “s3:putobject”, “Effect”: “Allow”, “Condition”: {
“StringLike”:{ “aws:sourcevpc”: “vpc-*”}}}
• Any explicit cross-account access IS NOT considered public access

Amazon S3 Block Public Access
API, SDK, CLI
and Console

Amazon S3 Block Public Access settings
1. Block new public ACLs and uploading public objects
2. Remove public access granted through public ACLs
3. Block new public bucket policies
4. Block public and cross-account access to buckets that have public
policies

Amazon S3 Block Public Access APIs
• PUT PublicAccessBlock
• GET PublicAccessBlock
• DELETE PublicAccessBlock
• GET BucketPolicyStatus
• Returns if the bucket policy is public or not

• User check – Check if parent account granted permission
• Bucket check – Check if bucket owner granted permission
• Object check – Look for explicit ”allow”
• Policy enforcement: An explicit deny in any policy overrides any allows
How Amazon S3 authorizes a request?

Ex1: Bucket operation requested by bucket owner
Bucket
Check
Access
Denied
Access
Granted
Authorized
Request made with
root credentials Yes
No
Requester: AWS Account: 1111-1111-1111
PD’s has root credentials: 1111-1111-1111
Bucket Owner: 1111-1111-1111

Ex2: Bucket operation requested by an IAM user
whose parent AWS account is also the bucket owner
Requester: PD (IAM User)
PD’s parent Account: 1111-1111-1111
Bucket Owner: 1111-1111-1111
Authority:
AWS Account: 1111-1111-1111
Access
Denied
Access
Granted
Authorized
PD’s Request Yes
No
User
Check
Bucket
Check

Authority:
Account: 1111-1111-1111
Access
Denied
Access
Granted
Authorized
PD’s Request Yes
No
User
check
Bucket
check
Authority:
Account:2222-2222-2222
Requester: PD
Bucket Owner: 2222-2222-2222
Ex3: Bucket operation requested by an IAM user
whose parent AWS account is not the bucket owner

Ex4: Authorization request for object operation
Access
Denied
Access
Granted
Authorized
PD’s Request Yes
No
Requester: PD
Bucket Owner: 2222-2222-2222
Object Owner: 3333-3333-3333
Authority:
1111-1111-1111
User
Check
Bucket
Check
Authority:
2222-2222-2222
Object
Check
Authority:
3333-3333-3333

Account-A Bucket
Managing cross-account access in Amazon S3
AccountARole
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource":
"arn:aws:iam::AccountA:role/AccountARole"
}
}
Users in other Accounts assumes AccountARole

Cross-region replication – Ownership Override
For business continuity, you can use the Object Ownership Override to
separate the access control of source objects and replicated objects, so the
source object owners cannot read, update, or delete the replicated
objects in the destination
Source bucket owner owns
object
Destination bucket owner
owns replica
Override access control
Maintain two
different stacks
of ownership

Amazon S3 encryption support
User encrypts the data on
client-side and uploads to
Amazon S3
HTTPS/TLS
• SSE-S3 (Amazon S3 managed
keys)
• SSE-KMS (AWS Key Management
Service)
• SSE-C (customer provided keys)
Server-Side Encryption Client-Side Encryption

Server-Side Encryption with AWS KMS
Two-tiered key hierarchy using envelope
encryption
• Customer master keys encrypt data keys
• Unique data key encrypts customer data
Benefits
• Limits risk of compromised data key
• Easier to manage small number of master keys than
billions of data keys
• Centralized access and audit of key activity
• Better performance for encrypting large data
Customer
master
keys
Data key 1 Data key 2 Data key 3 Data key 4
Amazon
S3 object
Amazon
S3 object
Amazon
S3 object
Amazon
S3 object

Amazon S3 default encryption
Provides S3 encryption-at-rest support for applications that do not
otherwise support encrypting data in Amazon S3
One time
bucket level
set up
Automatically
encrypts all new
objects
Supports SSE-
S3 and SSE-
KMS
Simplified
compliance

Monitoring Amazon S3 security settings
Bucket access control
view in S3 console
Trusted Advisor
Amazon MacieAWS Config rules
S3-bucket-public-read-prohibited
S3-bucket-public-write-prohibited

Monitoring Amazon S3 security settings...contd.
AWS CloudTrail
Object encryption status
Amazon S3 Inventory
Amazon S3 Server
Access Logs

Capital One
Christopher Schultz
Director, Software Engineering
Capital One

Who is Capital One?
• Established: 1994
• Number of Associates: 49,300
• Total Assets: $365.7 billion
• Total Deposits: $243.7 billion
• Total Revenues FY 2017: $27.2 billion
• Fortune 500: 100
• Number of Volunteer Hours: More than 403,000 hours volunteered in
2017
• Number of customer accounts: More than 70 million
• 8th Largest U.S. Bank: By deposits
• 3rd Largest Credit Card Issuer
• Largest financial institution auto loan originator
• Largest U.S. Direct Bank
• 3rd Largest Issuer of Small Business credit cards in the U.S.
Capital One is a leading
information-based technology
company that is on a mission to
help its customers succeed by
bringing ingenuity, simplicity, and
humanity to banking

Capital One is cloud first

Why Amazon S3?

Some use cases of Amazon S3 can be a bit tricky

Public ACLs

How to ”PCI” with Amazon S3
AWS Account A
Tokenized PCI
Data
Data
Tokenizer
AWS Account B AWS Account C
Analytics

How to ”PCI” with Amazon S3 (the wrong way)
AWS Account A
Tokenized PCI
Data
Data
Tokenizer
Analytics

How to ”PCI” with Amazon S3 (the ACL way)
AWS Account A
Tokenized PCI
Data
Data
Tokenizer
Analytics

How to ”PCI” with Amazon S3 (the right way)
AWS Account A
Tokenized PCI
Data
Data
Tokenizer
Analytics
S3Writer
Role

Let’s recap some of the best practices
• Always follow the principle of least privilege
• Most use cases don’t require public access – Recommend turning on
the Amazon S3 Block Public Access settings
• Authorization: All decisions start at Deny
• Authorization: An explicit Deny will override any allows
• Use default encryption to protect your data
• Monitor and audit your data with tools such as AWS Trusted Advisor,
AWS Config, AWS CloudTrail, and S3 Inventory

Thank you!
PD Dutta
Christopher Schultz

Deep Dive on Amazon S3 Security and Management (E2471STG303-R1) - AWS re:Invent 2018

Related slideshows

More Related Content

Deep Dive on Amazon S3 Security and Management (E2471STG303-R1) - AWS re:Invent 2018