Amazon Web Services (AWS) announced a new policy that moving forward, AWS would encrypt all new simple storage service (S3) buckets by default — a move security analysts said could potentially alleviate the ongoing trend of S3 buckets being openly exposed on the public Internet.
AWS said in a Jan. 5 blog that S3 buckets that do not use default encryption will now automatically apply server-side encryption (SSE-S3) — first launched in 2011 — as the default setting. Existing buckets currently using S3 default encryption will not change.
Jack Poller, a senior analyst at Tech Target’s Enterprise Strategy Group, explained that regardless of how someone gets access to data in S3, encrypting the data ensures that any exfiltrated data is unusable. Poller said the challenge with data encryption — and why AWS may not have made this the default until now — is managing encryption keys.
“You don’t want to use the same key for your entire organization in case the key is compromised or lost, potentially exposing all your data,” Poller said. “Instead, organizations want to have unique keys for every data store in their environment, limiting exposure. If a key gets compromised, the team wants to quickly generate a new key and re-encrypt data to maintain the security of the data. Organizations with a large cloud footprint may have hundreds of S3 buckets, and hundreds of keys. Plus, many more keys for databases, and other data stores. So key management becomes a crucial part of a data security practice.”
Davis McCarthy, principal security researcher at Valtix, added that AWS has now provided a transparent way to encrypt all data as it arrives to S3, encrypting the newly created keys with a master key that’s in possession of the user.
“The number of data breaches stemming from publicly accessible S3 buckets has been a sad trend in cloud computing, and where data encryption has proven difficult for some developers to effectively implement, this feature forces security upon the users who have traditionally failed to secure access to their cloud storage,” McCarthy said.
Claude Mandy, chief evangelist, data security at Symmetry Systems, said the default application of SSE-S3 comes as welcome news from a compliance perspective for many organizations, which no longer need to worry about the effort and overhead to enable this checkbox. “Security teams should use the additional bandwidth created to focus on securing their data in more effective ways, such as through data security posture management,” said Mandy.