AWS Securing Storage Services - cloud computing security - summary CH3

Securing Storage Services

• the second most common resource everyone talks about is storage → from object storage to block storage to file storage
• block storage → instance attached storage
• storage services used to store our data
• threats that might impact data when it is stored in the cloud :
1. Unauthorized access
2. Data leakage
3. Data exfiltration
4. Data loss
• best practice → follow countermeasures when storing data in the cloud :
1. Access-control lists (ACLs) and Identity and Access Management (IAM) used for access restriction.
• Note: Implementation varies among cloud providers.
2. Encryption applied to data in transit and at rest for confidentiality.
3. Auditing employed to log data access and actions (uploads, downloads, updates, deletions).
4. Backups and snapshots implemented for data recovery.
• Enables restoration of deleted data or return to previous versions (e.g., in ransomware events).

Technical requirements

1. Object Storage (AWS S3):
• Example: Think of AWS S3 like a super organized digital warehouse. Each item you store (like photos or files) gets its own special label (URL), making it easy to find whenever you need it.
2. File Storage (AWS EFS):
• Example: AWS EFS is like a digital shared folder that multiple computers (EC2 instances) can access at the same time. It's great for collaborative work, where everyone needs to share and use the same files, just like a shared drive.
3. Block Storage (AWS EBS):
• Example: AWS EBS is like having digital building blocks that you can attach to your computer (EC2 instance). You can format these blocks any way you want, making them perfect for specific applications, like creating a digital puzzle.

• Object storage is designed for storing data.
• Files or objects are kept in buckets, which serve as logical containers.
• Access to object storage is achieved through HTTP(S) protocol API, web command-line tools, or SDK tools.
• Object storage It is not suitable for storing operating systems or databases

Storage Types

Securing Amazon Simple Storage Service

• Amazon Simple Storage Service (Amazon S3) → is the Amazon object storage service.
• AWS employs ACLs (Access Control Lists) to control access to S3 buckets.
• Consider these methods for authentication and authorization when working with Amazon S3.
1. IAM policies: define permissions for specific identities such as users, groups, or roles, specifying allowed or denied actions.
2. bucket policies: set permissions at the S3 bucket level, affecting all objects within the bucket.
3. S3 access points: This gives you the ability to grant access to S3 buckets to a specific group of users or applications

Best practices for conducting authentication and authorization for Amazon S3

1. Establish IAM groups and assign required permissions for S3 buckets, managing user access efficiently.
2. Utilize IAM roles for services requiring access to S3 buckets, ensuring secure access for applications or non-human identities.
3. Apply restrictions on IAM users/groups, limiting access to specific S3 buckets instead of employing broad wildcard permissions.
4. Remove default bucket owner access permissions to enhance security for S3 buckets.
5. Implement IAM policies for applications or service-linked roles needing access to S3 buckets.
6. Enable Multi-Factor Authentication (MFA) delete for S3 buckets to prevent accidental object deletions.
7. Adhere to the principle of least privilege by granting minimal permissions to specific identities on designated resources.
8. Use bucket ACL's write permissions for the Amazon S3 log delivery group to facilitate access log writing → (for further analysis)
9. Implement S3 object lock for long-term data retention, safeguarding against accidental deletion in compliance with regulatory requirements.
10. Apply Amazon S3-Managed Encryption Keys (SSE-S3) for encrypting data at rest
11. Employ Customer-Provided Encryption Keys (SSE-C) for additional encryption in sensitive environments

Best practices for securing network access to Amazon S3

• Amazon S3 → it is located outside the customer's Virtual Private Cloud (VPC)

1. Keep all Amazon S3 buckets private unless there is a specific business requirement for public data sharing (static web hosting).
2. Secure access from your Virtual Private Cloud (VPC) to Amazon S3 using AWS Private Link to keep traffic within the AWS backbone through a secure channel via the interface's VPC endpoint.
3. For sensitive environments, use bucket policies to enforce access to an S3 bucket from a specific VPC endpoint or a specific VPC
4. Use bucket policies to enforce the use of transport encryption (HTTPS only).
5. In sensitive environments, employ bucket policies to ensure a minimum TLS version of 1.2 for enhanced security.
6. Implement SSE-S3 for encrypting data at rest.

Best practices for conducting auditing and monitoring for Amazon S3

• Auditing is a crucial part of data protection
• AWS allows you to enable logging and auditing using two built-in services
1. Amazon Cloud Watch: Service for logging object storage activities and triggering alarms based on predefined events (excessive delete actions).
2. AWS Cloud Trail: Service for monitoring API activities, covering any action executed on Amazon S3.

1. Enable Amazon Cloud Watch alarms to detect excessive S3 usage, such as high volumes of GET, PUT, or DELETE operations on a specific S3 bucket.
2. Activate AWS Cloud Trail for every S3 bucket to log all activities performed on Amazon S3 by users, roles, or AWS services.
3. Restrict access to Cloud Trail logs to a minimal number of employees, preferably those with AWS management accounts, to prevent unauthorized changes to audit logs.
4. Enable S3 server access logs to record all access activities as complimentary to AWS Cloud Trail API-based logging → future forensics.
5. Utilize Access Analyzer for S3 to identify S3 buckets with public access or those accessible from external AWS accounts.
6. Implement file integrity monitoring to ensure files remain unchanged.
7. Enable object versioning to prevent accidental deletion and enhance protection against ransomware.
1. Object versioning is a means of keeping multiple variants of an object in the same Amazon S3 bucket. Versioning provides the ability to recover from both unintended user actions and application failures.
8. Use Amazon S3 inventory to monitor the status of S3 bucket replication, including encryption on both the source and destination buckets.
1. Amazon S3 Inventory helps you manage your storage by creating lists of the objects in an S3 bucket on a defined schedule.

Securing block storage

• Block storage is a storage scheme like the on-premises Storage Area Network (SAN)
• A Storage Area Network (SAN) is a network of storage devices that can be accessed by multiple servers or computers, providing a shared pool of storage space.
• It allows you to mount a volume (disk)
• format it to a common filesystem (NTFS for Windows - Ext4 for Linux), and store various files, databases, or entire operating systems.

Best practices for securing Amazon Elastic Block Store

• Amazon Elastic Block Store (Amazon EBS) is the AWS block storage
• Attach additional volumes, referred to as block storage, to EC2 instances for storing data separately from the operating system.
• Amazon EBS (Elastic Block Store) can be linked to a single EC2 instance and accessed from within the operating system.
• Traffic between EC2 instances and attached EBS volumes is automatically encrypted in transit, with configuration and control handled by AWS.

• Volume snapshots are like taking a photo of all the files and data in a storage space at a particular moment. If something goes wrong or changes need to be undone, you can go back to that snapshot, restoring everything to how it was when the picture was taken

1. Enable default encryption for each region where EC2 instances are intended to be deployed.
2. Ensure encryption for both boot and data volumes associated with EC2 instances.
3. Encrypt each EBS volume during its creation process.
4. Encrypt EBS volume snapshots for enhanced security.
5. Utilize AWS Config to identify unattached EBS volumes.
6. Implement IAM policies to specify permissions for attaching, detaching, or creating snapshots for EBS volumes, → reducing the risk of data exfiltration.
7. Avoid configuring public access to EBS volume snapshots, ensuring encryption for all snapshots.
8. In highly sensitive environments, employ the customer master key (CMK) for encrypting EBS volumes.
9. Assign names and descriptions to EBS volumes for improved identification of associations with specific EC2 instances.
10. Utilize tagging (labeling) for EBS volumes to enhance understanding regarding their connections to specific EC2 instances.

Securing file storage

• File storage is a piece of storage such as the on-premises network-attached storage (NAS).
• Network-attached storage (NAS) is a file-dedicated storage device that makes data continuously available for employees to collaborate effectively over a network.
• basic idea of file storage are described as follows:
1. Support common file sharing protocols like NFS and SMB/CIFS.
2. Allow the mounting of a volume from a managed file service into an operating system for storing and retrieving files in parallel across multiple VMs.
3. Provide control over access permissions to the remote file system.
4. Enable automatic filesystem growth for scalability

Securing Amazon Elastic File System

• Amazon Elastic File System (Amazon EFS) is the Amazon file storage service → based on the NFS protocol
• Best practices for conducting authentication and authorization for Amazon EFS: AWS IAM to manage permissions to access Amazon EFS.

1. Avoid using the AWS root account for accessing AWS resources like Amazon EFS.
2. Create an IAM group, add users to that group, and grant necessary permissions on the target Amazon EFS to the IAM group.
3. Utilize IAM roles for federated users, AWS services, or applications requiring access to Amazon EFS.

Best practices for conducting authentication and authorization for Amazon EFS

1. Use IAM policies for minimal permissions on EFS tasks.
2. Specify conditions in IAM policies (e.g., source IP) for added control.
3. Employ resource-based policies to configure access control for EFS volumes → mount, read, write

Best practices for securing network access to Amazon EFS

• EFS → it is located outside the customer's VPC

1. Keep Amazon EFS private across all storage classes.
2. Utilize VPC security groups to manage access between Amazon EC2 machines and EFS mount volumes.
3. Secure VPC access to Amazon EFS using AWS Private Link to keep network traffic within the VPC through a secure channel.
4. Manage application access to EFS volumes using Amazon EFS access points.
5. Grant temporary access to Amazon EFS using AWS Security Token Service (STS).
6. Enforce encryption at rest for Amazon EFS filesystems using IAM policies, setting elasticfilesystem:Encrypted to True.
7. Use the EFS mount helper to mandate encryption in transit using TLS version 1.2 in sensitive environments.
8. Encrypt data at rest using AWS-managed Customer Master Key (CMK) for Amazon EFS.
9. For sensitive environments, encrypt data at rest using a Customer Master Key (CMK).

Best practices for conducting auditing and monitoring for Amazon EFS

1. Activate Amazon Cloud Watch alarms for monitoring excessive EFS usage.
2. Implement AWS Cloud Trail to log all API activities on EFS volumes.
3. Create Cloud Trail trails for detailed event logging on EFS volumes.
4. Restrict access to Cloud Trail logs to a minimum number of authorized employees ( management account ) to avoid possible deletion or changes to the audit logs.

Securing the CSI

• Container Storage Interface (CSI) is a standard driver facilitating connections between container orchestration systems like Kubernetes and block/file storage across different cloud providers.
• Amazon Elastic Kubernetes Service (EKS) supports a CSI driver for various storage types on AWS:
1. Block storage: EBS (Elastic Block Store)
2. Managed NFS: EFS (Elastic File System)
3. Parallel filesystem for HPC workloads: Amazon FSx for Lustre

Securing CSI on AWS

1. In IAM policies for CSI drivers, specify storage resource names instead of using wildcards.
2. Use IAM roles for service accounts to restrict pod access.
3. Keep CSI drivers updated to the latest version for chosen storage types.
4. For EBS CSI driver, ensure encryption by setting "encrypted" to True and specifying Amazon KMS key ID (KmsKeyId) in the YAML configuration file.