DEV Community

How to use CSPM to help your organization against Ransomware attacks targeting data on Amazon S3?

Article was published initially on Medium ->Link

Ransomware attacks are becoming more frequent and sophisticated, with crackers targeting cloud-based data storage systems like Amazon S3. To protect your organization’s sensitive information from these threats, it’s important to implement a comprehensive security strategy. One of the tools that can help you achieve this is a Cloud Security Posture Management (CSPM) solution.


What is CSPM?

CSPM is a software solution that automates the process of monitoring and managing cloud security configurations. It provides a centralized view of your security posture across all your cloud assets, including Amazon S3. CSPM solutions use a combination of machine learning and human expertise to identify security risks and vulnerabilities and provide recommendations for remediation.

Some of the solutions can be integrated into your ticketing system (ServiceNow, PageDuty), notification tools(Microsoft Teams, Slack), integrated into IDE and CI/CD pipelines, and many others integration that can help your team to have full visibility in realtime about cloud misconfigurations.


Attacks Vectors

Ransomware attacks on Amazon S3 are fundamentally distinct from those targeted toward conventional computer systems or servers with a traditional file system architecture. The two ways that we can consider for an Amazon S3 attack will be:

  • — Ransomware can be uploaded to buckets through an application or directly uploaded to S3. To protect your cloud infrastructure against it you will need a malware-scanning solution to scan every objective storage into the buckets. For more details on how to do it, here is a previous article that I talked about it -> Defending in Depth S3

  • — The Amazon Simple Storage Service (S3) can only be accessed through the S3 API, and every operation performed through this API, such as (“Put,” “Get,” “Delete,” etc.), and it must be authenticated. This highlights the significance of properly managing credentials, as they play a crucial role in securing access to the S3 service and all the resources in the cloud.

It is imperative to note that Amazon S3 operates on a platform that is not susceptible to compromise by malware. Unlike traditional file systems, where ransomware attacks can result in direct encryption of files (referred to as objects in S3), S3 objects cannot be altered. Instead, any modifications to S3 objects can only be achieved by copying or deleting them. This architectural design renders the execution of malware within S3 infeasible. Adversaries seeking to manipulate S3 objects or buckets must resort to using APIs and accessing them via the victim’s credentials.


Image from Amazon Web Services Blog

Securing data stored in Amazon S3 requires careful consideration of access permissions. By default, no access is granted, and it is essential to explicitly grant access through various mechanisms, including bucket policies and Access Control Lists (ACLs). Another important factor to consider is the use of IAM, where both users and roles can be granted access to S3.

It is critical to review the level of access granted to each IAM user and role, being mindful of potentially harmful actions such as DeleteObject and PutBucketLifecycleConfiguration, which could result in unintended consequences. To minimize the risk of data breaches, it is advisable to follow the principle of least privilege, only granting the minimum level of access necessary to perform a specific task. For more details about this topic here are three additional pieces of content :

Here is a good example of how this attack could happen:


Attack Example in steps


How can CSPM help protect buckets against Ransomware targeting data on Amazon S3?

AWS recommends the following features to protect S3 buckets against ransomware attacks. Looking for one S3 bucket is simple, but how about 100 or 1,000 buckets across multiple AWS accounts and multiple AWS regions? Here is where CSPM tool could easily help you and your organization.


Source: [https://d1.awsstatic.com/events/aws-reinforce-2022/TDR431_The-anatomy-of-a-ransomware-event-targeting-data-residing-in-Amazon-S3.pdf

Here is a good example of rules out of the box from CSPM tools that could help you to detect those misconfigurations in minutes across multiple accounts, but more than that it will help you to keep continuous monitoring. The CSPM provides real-time monitoring of your Amazon S3 environment, so you can detect and respond to potential misconfigurations very quickly.


Source: [Trend Cloud One — Conformity

Here are some additional features that could help to protect your S3 buckets:

  1. Policy Enforcement: CSPM solutions can help enforce your organization’s security policies by checking for misconfigurations and alerting you to any deviations.

  2. Access Control: CSPM can help you manage access control to your Amazon S3 data so that only authorized personnel can access sensitive information. This is important in the event of a ransomware attack, as it limits the scope of the attack.

  3. Encryption: CSPM can also help you encrypt sensitive data stored on Amazon S3, making it more difficult for crackers to access and steal sensitive information.

  4. Backup and Recovery: CSPM solutions can help you implement an effective backup and recovery strategy, so you can quickly restore your data in the event of a ransomware attack.


Conclusion

In conclusion, CSPM is a valuable tool in helping organizations protect their data stored on Amazon S3 from ransomware attacks. By providing continuous monitoring, policy enforcement, access control, encryption, backup, and recovery capabilities provided by AWS. It can help you secure your sensitive information and reduce the risk of data loss.


Additional Resources:

Top comments (0)