iCompaas Support

Profile Applicability:

• Level 1

Description:

Amazon S3 Glacier is a storage class designed for data archiving and long-term backup. S3 Glacier Vaults are containers used to organize data stored in S3 Glacier. Vaults can have access policies attached that define who can access the data in the vault.

Allowing access to everyone (i.e., the use of broad, unrestricted access policies) increases the risk of unauthorized access to archived data. This SOP ensures that S3 Glacier Vaults have appropriate access policies and do not allow public access, preventing security vulnerabilities.

Rationale:

Ensuring that S3 Glacier Vaults do not have policies that allow access to everyone is essential for:

• Data Protection: Preventing unauthorized users or services from accessing sensitive archived data.

• Security: Mitigating the risk of accidental or malicious data exposure.

• Compliance: Meeting compliance requirements for data security and privacy, such as HIPAA, SOC 2, and GDPR, which require restricted access to sensitive information.

Impact:

Pros:

• Enhanced Security: Restricting access to S3 Glacier Vaults ensures that only authorized users and services can access archived data.

• Compliance: Helps meet regulatory and compliance requirements that mandate access controls for sensitive data.

• Data Integrity: Reduces the risk of data being exposed or tampered with by unauthorized parties.

Cons:

• Access Restrictions: Depending on the vault's use case, overly restrictive policies may hinder legitimate users or applications from accessing data when needed.

• Management Overhead: Properly managing access controls and monitoring policy changes could introduce additional administrative overhead.

Default Value:

By default, S3 Glacier Vaults are private, and no policies are attached, meaning no access is granted. However, Vault Access Policies can be added to grant access to specific users or roles.

Pre-requisite:

• AWS IAM Permissions:

  • s3:GetBucketPolicy

  • s3:GetBucketAcl

  • glacier:DescribeVault

  • glacier:GetVaultAccessPolicy

• AWS CLI installed and configured.

• Basic knowledge of S3 Glacier Vaults and Vault Access Policies.

Remediation:

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon S3 Glacier under Services.

3. In the Glacier Console, go to Vaults and select the vault you want to inspect.

4. Check if any access policies are attached to the vault:

   • If a policy is attached, review it to ensure that it does not allow unrestricted access to the vault (e.g., does not grant Principal: "*").

   • Ensure that access is restricted to specific users, groups, or roles, and that there is no public or wide-open access.

Using AWS CLI:

To describe the Vault Access Policy for a specific vault, run the following command:

aws glacier get-vault-access-policy --vault-name <vault-name> --account-id - 

Review the output to check the Policy section for Principal: "*". This indicates that the policy allows access to everyone.

• If Principal: "*" is found, the vault has an overly permissive policy and must be updated to restrict access.

Example output:

{

    "Policy": {

        "Version": "2012-10-17",

        "Statement": [

            {

                "Sid": "AllowAll",

                "Effect": "Allow",

                "Principal": "*",

                "Action": "glacier:GetVaultInventory",

                "Resource": "*"

            }

        ]

    }

}

If Principal: "*" is present, follow the steps in the implementation section to update the policy.

Implementation Steps:

Using AWS Console:

1. Sign in to the AWS Management Console and navigate to Amazon S3 Glacier.

2. Go to Vaults and select the vault to modify.

3. In the Vault Details, review the Vault Access Policy.

4. If the policy allows access to everyone (i.e., Principal: "*"), click Edit Policy.

5. Modify the policy to restrict access:

   • Remove Principal: "*".

   • Define specific roles, users, or groups that are allowed access.

6. Save the policy.

Using AWS CLI:

To update the Vault Access Policy and remove public access, run:

aws glacier set-vault-access-policy --vault-name <vault-name> --account-id - --policy '{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Principal": {"AWS": "arn:aws:iam::<account-id>:role/<role-name>"},

            "Action": "glacier:GetVaultInventory",

            "Resource": "*"

        }

    ]

}'

Verify that the Vault Access Policy no longer allows public access by running:

aws glacier get-vault-access-policy --vault-name <vault-name> --account-id -

Ensure that the updated policy restricts access to only authorized principals and does not include Principal: "*".

Backout Plan:

If modifying the Vault Access Policy causes access issues (e.g., legitimate users or services are blocked):

Identify the affected S3 Glacier vault.

To revert to the previous policy (if backup exists), use:

aws glacier set-vault-access-policy --vault-name <vault-name> --account-id - --policy '<backup-policy-json>'

Ensure that the updated policy restores access for authorized users and services.

Note:

• Monitoring and Alerts: Set up CloudTrail and CloudWatch Logs to monitor changes to S3 Glacier Vault Access Policies and detect unauthorized modifications.

• Access Control Best Practices: Always apply the principle of least privilege. Restrict access to vaults to only those who absolutely need it, and regularly review access policies.

• Automation: Consider automating policy checks using AWS Lambda to verify that S3 Glacier Vaults do not have overly permissive access policies.

References:

• Amazon S3 Glacier Documentation

• AWS CLI: get-vault-access-policy

• AWS CLI: set-vault-access-policy

• AWS IAM Policies

CIS Controls Mapping: