Amazon S3 Security Part 1: Archiving Sensitive Data

In the previous blog post, we introduced why Amazon S3 can be used to store sensitive data to satisfy an organization’s security and compliance needs. In this first of the five-part series, we will discuss how to use Amazon S3 for data archival. We will walk you through the various Amazon S3 features like:

• Amazon S3 versioning and MFA delete
• Amazon S3 lifecycle policy
• Amazon S3 write-once-read-many (WORM)- (using Amazon S3 Glacier Vault Lock, Amazon S3 Object Lock, etc).

Amazon S3 versioning 

Amazon S3 versioning allows you to keep multiple versions of an object in the same bucket, allowing you to preserve, retrieve, and restore every version of every object stored in your buckets and can help you recover objects from accidental deletion or overwriting. By default, Amazon S3 versioning is disabled on buckets, and you must explicitly enable it. To enable or disable versioning on an Amazon S3 bucket:

First, sign into the AWS management console and go to the Amazon S3 console. In the Buckets list, choose the name of the bucket that you want to enable versioning for. Next, select Properties. For example:

Next, under Bucket Versioning, choose Edit. Next, choose Enable, and Save changes.

Enforce MFA (Multi-Factor Authentication) delete

For protection against accidental deletion, or in the event that your security credentials are compromised, you can optionally add another layer of security by configuring an Amazon S3 bucket to enable MFA delete — meaning the bucket owner must include two forms of authentication to permanently delete a version or change the versioning state of the bucket. Note that the bucket owner, the AWS account that created the bucket (root account), and all authorized IAM users can enable versioning. However, only the root user can enable MFA delete. MFA methods that IAM supports are FIDO-certified hardware security keys (example Yubico), time-based one-time password (TOTP), virtual authenticator apps (example Twilio Authy, Duo Mobile, LastPass Authenticator, Microsoft Authenticator, Google Authenticator, etc), and TOTP hardware tokens (example key fob). 

Options:

Let’s take an example of Amazon S3 MFA delete. First, I have an Amazon S3 bucket without versioning or MFA delete enabled. I already have MFA enabled for my root user.

Next, let’s set up MFA delete using AWS CLI (Note: you can either use AWS CLI or AWS SDK for enabling MFA delete. You cannot use AWS console).

Next, if you attempt to permanently delete an object version, it will throw an error.

Additionally, you can add a bucket policy to require (enforce) MFA using “aws:MultiFactorAuthAge” key in a bucket policy so that, when Amazon S3 receives a request with multi-factor authentication, the aws:MultiFactorAuthAge key provides a numeric value indicating how long ago (in seconds) the temporary credential was created. If the temporary credential provided in the request was not created using an MFA device, this key value is null (i.e. absent). In a bucket policy, you can add a condition to check this value, as shown in the following example bucket policy:

If I attempt to access the bucket with a session that doesn’t have MFA, it is denied. (Note that the aws:MultiFactorAuthAge key is not present if MFA was not used.)

Amazon S3 lifecycle policy

An Amazon S3 lifecycle configuration is a set of rules (an XML file) that define actions that Amazon S3 applies to a group of objects. To enable or disable versioning on an Amazon S3 bucket, first, sign in to the AWS Management Console and open the Amazon S3 console. In the Buckets list, choose the name of the bucket that you want to enable Lifecycle rules for. Next, select the Management tab. For example:

Then, click Create Lifecycle Rule and follow to set up the desired parameters. For example:

Now, you could choose the rule scope to apply for all objects in the bucket or a certain prefix (in simple terms, prefix in Amazon S3 is like a sub-folder in a directory). Next, you can also choose life-cycle rule actions per your organization’s requirement. In this example, we choose to move the current versions of the object to the Infrequent Access (IA) storage class after 30 days of object creation. The primary reason for this could be compliance requirements and/or to save costs. 

Then, review the configuration and hit “Create Rule.”

Amazon S3 write-once-read-many (WORM)

Let’s break this into two parts, Amazon S3 Glacier Vault Lock and Amazon S3 Object Lock. 

Amazon S3 Glacier Vault Lock

You can easily enforce compliance controls for Amazon S3 Glacier vaults with a Vault Lock policy. You initiate the lock by attaching a Vault Lock policy to your vault, which sets the lock to an in-progress state and returns a lock ID. While the policy is in the “in-progress” state, you have 24 hours to validate your Vault Lock policy before the lock ID expires. Otherwise, your Vault Lock policy will be deleted. Now, let’s see how this can be achieved.

First, go to the Amazon S3 Glacier console and choose the vaults from the desired region. Choose the Vault Policy tab.

Next, from the Vault Lock policy section, choose Initiate Vault Lock policy.

Next, create a policy and click Save Changes. In the example below, you will be denied any action to delete any archives within 180 days or less.

Note: Do not forget to record the Vault Lock ID. After the Vault Lock policy has been initiated, you have 24 hours to validate the policy and complete the lock process. To complete the lock process, you must provide the lock ID. If it’s not provided within 24 hours, the lock ID expires and your in-progress policy is deleted. Also, if you need to change anything, you can always Delete Vault Lock Policy and initiate a new policy. 

Next, enter the Lock ID you noted earlier and click Complete Vault Lock.

Amazon S3 Object Lock

You can store objects using a write-once-read-many (WORM) model to prevent objects from being deleted or overwritten for a certain amount of time or indefinitely. This helps your organization to satisfy regulatory requirements and also adds a layer of protection against object changes and deletion. This can be managed using two methods — a legal hold and object lock retention period (days or years).

• A retention period specifies a fixed period of time during which an object remains locked — during the lock period, your object is WORM-protected and can’t be overwritten or deleted.
• A legal hold provides the same protection as a retention period but has no expiration date. Instead, a legal hold remains in place until you explicitly remove it. 

Let’s try the legal hold feature out. First, select the desired Amazon S3 bucket from the Amazon S3 console and list-objects. Choose the object you want to enable legal hold for. Under the object Properties tab, you should see the Object Lock legal hold feature. Click Edit and select Enable before saving changes.

Please note that a legal hold prevents an object version from being overwritten or deleted until the flag is explicitly removed. Also, note that object legal holds can be freely placed and removed by any user with the “s3:PutObjectLegalHold” permission.

Now, let’s try the object lock feature out. Please note that Amazon S3 currently does not support enabling object lock after a bucket has been created and object lock works only in the bucket with the versioning enabled. To enable it after the bucket has been created, you would need to file an Amazon support ticket. To enable object lock during bucket creation, under the Object Lock section, select Enable, tick the acknowledgment, and click Create Bucket. For example:

Amazon S3 Object Lock provides two retention modes, namely the governance mode and the compliance mode. In the governance mode, users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions. In the compliance mode, a protected object version can’t be overwritten or deleted by any user, including the root user in your AWS account. For this feature, go to the Object Lock Retention section of object management and click Edit. Choose the retention mode and click Save Changes. Please note that in compliance mode, an object is immutable until its retention date has passed.

Summary

We can use various Amazon S3 features for the archival of sensitive data, like Amazon Glacier Vault Lock, S3 versioning, S3 lifecycle policy, S3 MFA delete, and Amazon WORM Model. We walked you through the steps to enable each of the features. In the next part of the series, i.e. Part 2 of 5, we’ll discuss how you can achieve data confidentiality in Amazon S3.

Next steps

Return to the intro of this series for links to each of the blogs once they're published, and read the next issue in this series for an in-depth summary of how to use Amazon S3 for data confidentiality. You can also learn more about the technical innovations and best practices powering cloud backup and data management. Visit the Innovation Series section of Druva’s blog archive.

About the author

I have been in the cloud tech world since 2015, wearing multiple hats and working as a consultant to help customers architect their cloud journey. I joined Druva four years ago as a cloud engineer. Currently, I lead Druva’s cloud security initiatives, roadmap, and planning. I love to approach cloud security pragmatically because I strongly believe that the most important component of security is the humans behind the systems. 

Get my hands-on style weekly cloud security newsletter. Subscribe here

Find me on LinkedIn: https://www.linkedin.com/in/aashish-aj/

Email: aashish.aacharya@druva.com