Profile Applicability
- Level 1
Description:
Amazon S3 is widely used for storing data in AWS. To maintain data security and comply with regulatory standards, it is important to ensure that all data in S3 has been discovered, classified, and secured. This process involves identifying sensitive data (such as personally identifiable information or financial data), applying appropriate access controls, and ensuring that data is encrypted when necessary.
Data discovery and classification help identify sensitive or regulated data that requires special handling or protection. Securing the data in Amazon S3 involves implementing encryption, access control policies, and monitoring to ensure that data remains protected throughout its lifecycle.
Rationale:
Ensuring that all data in S3 is discovered, classified, and secured provides:
Data protection: Identifies sensitive data and ensures that proper security controls (encryption, access control) are in place.
Compliance: Meets regulatory requirements (e.g., HIPAA, PCI-DSS, GDPR) that mandate the discovery, classification, and protection of sensitive data.
Auditability: Establishes a clear, documented process for handling sensitive data, ensuring that data is appropriately secured and complies with security policies.
Without data discovery, classification, and securing processes in place, organizations risk exposing sensitive information or failing to meet regulatory obligations.
Impact:
Failure to ensure that all data in S3 has been discovered, classified, and secured can result in:
Data breaches: Sensitive data may be left unsecured or improperly protected.
Compliance violations: Failing to classify and secure sensitive data can result in non-compliance with regulatory standards.
Increased security risks: Improperly secured data may be accessed by unauthorized users or exposed to attacks.
Ensuring data is discovered, classified, and secured reduces the risk of data exposure, breaches, and compliance issues.
Default Value:
By default, Amazon S3 does not classify or secure data automatically. Organizations need to actively implement data discovery and classification processes, such as using AWS Macie for data discovery, and apply appropriate encryption and access controls.
Pre-Requisites:
AWS CLI installed and configured
IAM permissions:
s3:ListBucket
s3:GetObject
macie2:ListFindings
macie2:GetSensitiveDataOccurrences
AWS Macie or other data discovery tools should be set up for sensitive data discovery and classification
Remediation:
Test Plan:
Using AWS Console:
Go to the S3 Console.
Review the buckets and check for sensitive data by using Amazon Macie or manual classification.
Ensure that encryption is enabled for sensitive data stored in S3 and that appropriate access controls (IAM policies, bucket policies) are applied.
Verify that only authorized users have access to sensitive data and that permissions are following the principle of least privilege.
Using AWS CLI:
aws macie2 list-findings --query "findings[*].{FindingId: id, Severity: severity, Classification: classificationDetails}" --output tableTo verify S3 encryption:
aws s3api get-bucket-encryption --bucket <bucket-name> --query "ServerSideEncryptionConfiguration" --output table
Implementation Plan:
Using AWS Console:
Enable data discovery and classification with AWS Macie:
Go to the AWS Macie Console.
Enable Macie in the desired regions.
Use Macie to scan S3 buckets for sensitive data and classify it.
Review findings and apply appropriate security measures, such as encryption and access controls.
Ensure that S3 data is encrypted:
Go to the S3 Console.
For each S3 bucket, go to the Properties tab and ensure that Default encryption is enabled.
Enable server-side encryption (SSE-S3 or SSE-KMS) for the S3 bucket.
Implement proper access controls:
In the S3 Console, review Bucket Policies and IAM Policies to ensure they enforce least privilege access to sensitive data.
Consider implementing MFA for deleting objects or using S3 Block Public Access settings to avoid unintentional exposure.
Using AWS CLI:
Enable Macie and start a classification job:
aws macie2 create-classification-job --job-type ONE_TIME --s3-job-definition "bucketDefinitions=[{bucketName=<bucket-name>}]"Verify S3 bucket encryption:
aws s3api get-bucket-encryption --bucket <bucket-name> --query "ServerSideEncryptionConfiguration"
Ensure encryption is enabled on S3 buckets:
aws s3api put-bucket-encryption --bucket <bucket-name> --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'Backout Plan:
Using AWS Console:
If enabling encryption causes issues with accessing data:
Go to the S3 Console.
Disable encryption by modifying the Default encryption settings.
If issues persist, investigate and troubleshoot any IAM or bucket policy settings that may be conflicting with access control.
Revert classification findings:
Go to the AWS Macie Console.
Disable Macie and review any classification findings that need remediation or deletion.
Using AWS CLI:
Temporarily disable encryption:
aws s3api put-bucket-encryption --bucket <bucket-name> --server-side-encryption-configuration '{}'Stop Macie classification jobs:
aws macie2 cancel-classification-job --job-id <job-id>
Re-enable classification and encryption once issues are resolved:
aws s3api put-bucket-encryption --bucket <bucket-name> --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'
aws macie2 create-classification-job --job-type ONE_TIME --s3-job-definition "bucketDefinitions=[{bucketName=<bucket-name>}]"