The first week of August was dedicated to re:Inforce, a two-day annual AWS conference where security and encryption announcements take the stage. Kurt Kufeld, Vice President Platform AWS, closed the first keynote with three AWS encryption calls to action. In a time where quantum computing looks like it might soon obliterate our current encryption methods, it is still important to make sure your security practices cover the basics.
1. Encrypt everything
For us, this is the most natural thing in the world, but we still see it not being applied by everyone. All AWS services that store data have support for encryption of data-at-rest, and almost all of them have support for keys that you (as the customer) control. There is no excuse to not encrypt your data and it saves you a ton of problems when things inevitably get out of control.
2. Turn on Block Public Access in S3
If you don’t need public access to your S3 bucket, please turn this feature on. In the words of Kurt: it will save your life. Currently, new S3 buckets and access points don’t allow public access by default. However, policies can be modified by others at a later stage. To check if your buckets have still blocked all public access, use automated reasoning-powered features like AWS IAM Access Analyser or Macie to check which buckets have this access, in case you really need it. But, if you don’t, S3 Block Public Access will make sure that the contents of the bucket are restricted for anyone outside of your account.
3. Enable Multi-Factor Authentication
As with any service that requires authentication nowadays, make sure to enable MFA on your AWS root account and users as it will drastically level up your security. For a relatively simple solution, it’s still one of the best ways to add an additional layer of security before one can access the cloud. If you were to lose your credentials in a leak or other breach event, malicious parties will still be able to access your account. If anything else, please do so today! And if you’re operating from the US, free hardware MFA Security Keys are now easier to request for customers. You can order yours on the portal: https://aws.amazon.com/blogs/security/eligible-customers-can-now-order-a-free-mfa-security-key/
Security in the cloud can be a complex practice. However, as Kurt mentioned, the biggest breaches are sometimes caused by the simplest mistakes. Make sure you and your cloud team are aware of these best practices and help each other stay safe in the cloud. Learn more from our other security content. Or, if you need a hand to get started with security on AWS, reach out to us directly for Security Review or Assessment!