Profile Applicability:
This check applies to all AWS accounts where data ingestion is a critical component of the system, specifically for ensuring the secure transfer and processing of data into AWS services.
Description:
This check ensures that data ingestion processes are secure and protected against unauthorized access and modification. Data should be securely transmitted from sources to destinations within AWS and must comply with AWS security best practices.
Rationale:
Data ingestion, especially from external sources, may contain sensitive information or valuable data that can be exposed if not secured. Ensuring that data ingestion pipelines are protected reduces the risk of data breaches and unauthorized access, ensuring compliance with security policies and data protection regulations.
Impact:
Pros:
Protects sensitive data during transmission.
Enhances overall security of the data pipeline.
Ensures compliance with security standards and regulations.
Cons:
May increase the complexity of the setup and management of the ingestion pipelines.
Can introduce additional performance overhead if encryption is used.
Default Value:
By default, AWS services are configured with basic security mechanisms (e.g., encryption at rest and in transit) but may require further custom configuration to enhance data ingestion security.
Pre-requisites:
IAM roles with specific permissions for data ingestion.
Encryption enabled on relevant AWS services (S3, Kinesis, etc.).
Secure network configurations (e.g., VPCs, private subnets).
Test Plan:
Using AWS Console:
Navigate to the AWS console and access the service where data ingestion is being configured (e.g., AWS S3, AWS Kinesis).
Review the service’s security settings to ensure that encryption in transit (e.g., SSL/TLS) is enabled.
Check that access to the data ingestion source and destination is controlled via appropriate IAM policies.
Ensure that the data ingestion process uses secure protocols and is protected against unauthorized access.
Using AWS CLI:
Use the AWS CLI to check encryption settings:
aws s3api get-bucket-encryption --bucket <bucket-name>
Verify that TLS is enabled for data transfer:
aws kms describe-key --key-id <key-id>
Validate IAM policies for data ingestion access:
aws iam get-policy --policy-arn <policy-arn>
Implementation Plan
Using AWS Console:
In the AWS console, go to the respective service (S3, Kinesis, etc.) and enable encryption in transit and at rest for data.
Create or update IAM roles and policies to restrict access to data ingestion services.
Review VPC and network configurations to ensure secure data transfer between sources and destinations.
Using AWS CLI:
Enable encryption in transit and at rest for AWS services:
aws s3api put-bucket-encryption --bucket <bucket-name> --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'Apply IAM policies for secure access to data:
aws iam put-user-policy --user-name <username> --policy-name <policy-name> --policy-document file://policy.json
Backout Plan
Using AWS Console:
If the data ingestion configuration is found to be misconfigured, revert the encryption settings and IAM policy configurations in the console.
Disable encryption and IAM restrictions temporarily to troubleshoot data ingestion issues.
Using AWS CLI:
Revert the encryption setting by disabling server-side encryption:
aws s3api delete-bucket-encryption --bucket <bucket-name>
Remove or update IAM policies to restore previous access configurations:
aws iam delete-user-policy --user-name <username> --policy-name <policy-name>
References:
AWS documentation on data protection and encryption: AWS S3 Encryption
AWS best practices for securing data ingestion: Securing AWS Data Ingestion