Cloud Security, Data Security

AWS says it will now encrypt S3 buckets by default

AWS logo above an expo hall for AWS re:Invent
Attendees walk through an expo hall during AWS re:Invent 2022 in Las Vegas. (Photo by Noah Berger/Getty Images for Amazon Web Services)

Amazon Web Services (AWS) announced a new policy that moving forward, AWS would encrypt all new simple storage service (S3) buckets by default — a move security analysts said could potentially alleviate the ongoing trend of S3 buckets being openly exposed on the public Internet.

AWS said in a Jan. 5 blog that S3 buckets that do not use default encryption will now automatically apply server-side encryption (SSE-S3) — first launched in 2011 — as the default setting. Existing buckets currently using S3 default encryption will not change.

Jack Poller, a senior analyst at Tech Target’s Enterprise Strategy Group, explained that regardless of how someone gets access to data in S3, encrypting the data ensures that any exfiltrated data is unusable. Poller said the challenge with data encryption — and why AWS may not have made this the default until now — is managing encryption keys.

“You don’t want to use the same key for your entire organization in case the key is compromised or lost, potentially exposing all your data,” Poller said. “Instead, organizations want to have unique keys for every data store in their environment, limiting exposure. If a key gets compromised, the team wants to quickly generate a new key and re-encrypt data to maintain the security of the data. Organizations with a large cloud footprint may have hundreds of S3 buckets, and hundreds of keys. Plus, many more keys for databases, and other data stores. So key management becomes a crucial part of a data security practice.”

Davis McCarthy, principal security researcher at Valtix, added that AWS has now provided a transparent way to encrypt all data as it arrives to S3, encrypting the newly created keys with a master key that’s in possession of the user.

“The number of data breaches stemming from publicly accessible S3 buckets has been a sad trend in cloud computing, and where data encryption has proven difficult for some developers to effectively implement, this feature forces security upon the users who have traditionally failed to secure access to their cloud storage,” McCarthy said.

Claude Mandy, chief evangelist, data security at Symmetry Systems, said the default application of SSE-S3 comes as welcome news from a compliance perspective for many organizations, which no longer need to worry about the effort and overhead to enable this checkbox. “Security teams should use the additional bandwidth created to focus on securing their data in more effective ways, such as through data security posture management," said Mandy.

Related

LockBit-leaked DC city agency data from third party

Washington, D.C.'s Department of Insurance, Securities and Banking has disclosed that 800GB of data claimed to have been stolen by the LockBit ransomware operation was obtained from an attack against third-party software provider Tyler Technologies following the ransomware gang's threats to expose 1GB of the exfiltrated data to coerce the agency into providing the demanded ransom, reports The Record, a news site by cybersecurity firm Recorded Future.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.