Friday, 23 March 2018

AWS S3 (Security)


Encryption
  • Metadata is never encrypted
  • Server Side (SSE)
    • Possible to enforce with bucket policy (e.g. only encrypted data can be uploaded)
    • SSE-S3
      • S3 manages keys (AES-256)
    • SSE-KMS
      • More flexible than SSE-S3 but additional charges (for KMS)
      • Customer can manage or use default KMS key generated for him (aws/s3)
      • ETag is not MD5 hash anymore (as it would be a security hole)
      • Headers
        • x-amz-server-side-encryption = aws:kms
        • x-amz-server-side-encryption-aws-kms-key-id
        • x-amz-server-side-encryption-context (do not use sensitive data here)
    • SSE-C
      • Customer provides the key
      • Different objects(versions) may have different key
      • Headers
        • x-amz-server-side​-encryption​-customer-algorithm = AES256
        • x-amz-server-side​-encryption​-customer-key
        • x-amz-server-side​-encryption​-customer-key-MD5
    • Default Encryption
      • Feature to have S3 automatically encrypt the object (SSE-S3, SSE-KMS)
  • Client Side (CSE)
    • Encryption is opaque to S3 (just a blob)

Permissions
  • Places where you setup access permissions
    • Bucket Policy
      • Limited document size
    • ACL
      • Bucket ACL
      • Object ACL
    • User IAM Policy
  • Authorities
    • Parent Account Owner
    • Bucket Account Owner
    • Object Account Owner
  • User Context
    • Only when IAM user
  • Bucket Context
  • Object Context
    • Bucket Account Owner can deny access

ACL
  • Bucket and object level
  • Default ACL: grants owner full permissions
  • Max 100 grants per ACL
  • Grantee
    • AWS account
      • can be identified by email address
      • Cannot grant permissions to IAM users
    • Predefined AWS Group
      • Authenticated Users (any AWS account) - must have Authentication header
      • All Users (includes Anonymous)
      • Log Delivery Group (WRITE permission enables storing S3 logs)
  • Permissions
    • READ
      • Bucket
        • ListBucket, ListBucketVersions, ListBucketMultiPartUploads
      • Object
        • GetObject, GetObjectVersion, GetObjectTorrent
    • WRITE
      • Bucket
        • PutObject, DeleteObject, DeleteObjectVersion (only when grantee is owner)
    • READ_ACP (read bucket/object ACL)
      • Bucket
        • GetBucketACL
      • Object
        • GetObjectACL, GetObjectACLVersion
    • WRITE_ACP (change bucket/object ACL)
      • Bucket
        • PutBucketACL
      • Object
        • PutObjectACL
  • Canned ACL (predefined grants)
    • private
    • public-read
    • public-read-write
    • aws-exec-read
    • authenticated-read
    • bucket-owner-read
    • bucket-owner-fullcontrol
    • log-delivery-write
  • Use cases
    • Generally prefer Bucket Policy and IAM policy (ACL is legacy mechanism)
    • LogDeliveryGroup must use ACL
    • Bucket Policy document limit reached
    • Wide variety of permissions on objects (cannot be captured by policy easily)
    • Used in conjuntion with Requester Pays

Pre-signed urls
  • Example
    • https://s3.amazonaws.com/examplebucket/test.txt
?X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Credential=<your-access-key-id>/20130721/us-east-1/s3/aws4_request
&X-Amz-Date=20130721T201207Z
&X-Amz-Expires=86400
&X-Amz-SignedHeaders=host
&X-Amz-Signature=<signature-value>
  • Uploading encrypted object
    • SSE-KMS
    • SSE-S3
    • SSE-C (customer specified key)
      • restricts that upload to specific encryption key
  • Use cases
    • Restricted download
      • e.g. temporary access to a file (max 7 days)
    • Restricted upload
      • e.g. having any AWS credentials
    • Communication mechanism in CloudFormation
      • Signaling
        • CreatePolicy - Signalling
      •  WaitCondition/WaitHandle
  • Generating
    • Anyone with valid security credentials can create pre-signed url
      • It will only work if my permissions actually allow to upload (otherwise there would be privilage escalation)
    • Java SDK supports creation

CORS
  • Cross-origin access to mitigate JavaScript SOP restrictions
    • Preflight (OPTIONS) request to determine access rights
  • Configured on bucket
  • CORSRule
    • Allowed Origin (i.e. requestor domain)
    • Allowed Methods (GET, PUT, POST, ...)
    • Allowed Headers (in the preflight request which headers requestor may ask for)
    • Expose Headers (which headers can be read on the client side)
    • MaxAgeInSeconds - how long preflight response can be cached
  • Use Cases
    • Auto-complete
    • Drag'n'Drop upload to S3
    • Upload progress
    • Update content directly from JS
    • Serving Web Fonts

VPC Endpoint
  • Allows direct access to S3 from VPC
  • Use case
    • Bypass public Internet
  • Policies
    • S3 bucket policy - who can access me (aws:SourceVpc and aws:SourceVpce)
    • Endpoint policy - whom can I access (e.g. my own buckets only)
  • No need to change DNS name
    • Internally requests are routed differently
  • See also: VPC (Endpoint)

Macie
  • AWS managed service to scan/categorize data in S3
  • See also: Macie
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)