Most businesses collect, process, and store sensitive customer data that needs to be secured to earn customer trust and protect customers against abuses. Regulated businesses must prove they meet guidelines established by regulatory bodies. As an example, in the capital markets, broker-dealers and investment advisors must demonstrate they address the guidelines proposed by the Office of Compliance Inspections (OCIE), a division of the United States Securities Exchange Commission (SEC).
So what do you do as a business to secure and protect customer data in cloud, and to provide assurance to an auditor/regulator on customer’s data protection?
In this post, I will introduce you to 13 key AWS tools that you can use to address different facets of data protection across different types of AWS storage services. As a structure for the post, I will explain the key findings and issues the SEC OCIE found, and will explain how these tools help you meet the toughest compliance obligations and guidance. These tools and use cases apply to other industries as well.
What SEC OCIE observations mean for AWS customers
The SEC established the SEC Regulation S-P (primary rule for privacy notices and safeguard policies) and Regulation S-ID (identity theft red flags rules) as compliance requirements for financial institutions that includes securities firms. In 2019, the OCIE examined broker-dealers’ and investment advisors’ use of network storage solutions, including cloud storage to identify gaps in effective practices to protect stored customer information. OCIE noted gaps in security settings, configuration management, and oversight of vendor network storage solutions. OCIE also noted that firms don’t always use the available security features on storage solutions. The gaps can be summarized into three problem areas as below. These gaps are common to businesses in other industries as well.
- Misconfiguration – Misconfigured network storage solution and missed security settings
- Monitoring & Oversight – Inadequate oversight of vendor-provided network storage solutions
- Data protection – Insufficient data classification policies and procedures
So how can you effectively use AWS security tools and capabilities to review and enhance your security and configuration management practices?
AWS tools and capabilities to help review, monitor and address SEC observations
I will cover the 13 key AWS tools that you can use to address different facets of data protection of storage under the same three (3) broad headings as above: 1. Misconfiguration, 2. Monitoring & Oversight, 3. Data protection.
All of these 13 tools rely on automated monitoring alerts along with detective, preventative, and predictive controls to help enable the available security features and data controls. Effective monitoring, security analysis, and change management are key to help companies, including capital markets firms protect customers’ data and verify the effectiveness of security risk mitigation.
AWS offers a complete range of cloud storage services to help you meet your application and archival compliance requirements. Some of the AWS storage services for common industry use are:
- Object storage using Amazon Simple Storage Service (Amazon S3)
- File storage using Amazon Elastic File System (Amazon EFS)
- Block storage using Amazon Elastic Block Store (Amazon EBS)
- Archive using Amazon S3 Glacier
- Hybrid storage using AWS Storage Gateway
I use Amazon S3 and Amazon EBS for examples in this post.
Establish control guardrails by operationalizing the shared responsibility model
Before covering the 13 tools, let me reinforce the foundational pillar of the cloud security. The AWS shared responsibility model, where security and compliance is a shared responsibility between AWS and you as the AWS customer, is consistent with OCIE recommendations for ownership and accountability, and use of all available security features.
We start with the baseline structure for operationalizing the control guardrails. A lack of clear understanding of the shared responsibility model can result in missed controls or unused security features. Clarifying and operationalizing this shared responsibility model and shared controls helps enable the controls to be applied to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives.
Security of the cloud – AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS cloud.
Security in the cloud – Your responsibility as a user of AWS is determined by the AWS cloud services that you select. This determines the amount of configuration work you must perform as part of your security responsibilities. You’re responsible for managing data in your care (including encryption options), classifying your assets, and using IAM tools to apply the appropriate permissions.
Misconfiguration – Monitor, detect, and remediate misconfiguration with AWS cloud storage services
Monitoring, detection, and remediation are the specific areas noted by the OCIE. Misconfiguration of settings results in errors such as inadvertent public access, unrestricted access permissions, and unencrypted records. Based on your use case, you can use a wide suite of AWS services to monitor, detect, and remediate misconfiguration.
Access analysis via AWS Identity and Access Management (IAM) Access Analyzer – Identifying if anyone is accessing your resources from outside an AWS account due to misconfiguration is critical. Access Analyzer identifies resources that can be accessed without an AWS account. For example Access Analyzer continuously monitors for new or updated policies, and it analyzes permissions granted using policies for Amazon S3 buckets, AWS Key Management Service (AWS KMS) and AWS IAM roles. To learn more about using IAM Access Analyzer to flag unintended access to S3 buckets, see IAM Access Analyzer flags unintended access to S3 buckets shared through access points.
Actionable security checks via AWS Trusted Advisor – Unrestricted access increases opportunities for malicious activity such as hacking, denial-of-service attacks, and data theft. Trusted Advisor posts security advisories that should be regularly reviewed and acted on. Trusted Advisor can alert you to risks such as Amazon S3 buckets that aren’t secured and Amazon EBS volume snapshots that are marked as public. Bucket permissions that don’t limit who can upload or delete data create potential security vulnerabilities by allowing anyone to add, modify, or remove items in a bucket. Trusted Advisor examines explicit bucket permissions and associated bucket policies that might override the bucket permissions. It also checks security groups for rules that allow unrestricted access to a resource. To learn more about using Trusted Advisor, see How do I start using Trusted Advisor?
Encryption via AWS Key Management Service (AWS KMS) – Simplifying the process to create and manage encryption keys is critical to configuring data encryption by default. You can use AWS KMS master keys to automatically control the encryption of the data stored within services integrated with AWS KMS such as Amazon EBS and Amazon S3. AWS KMS gives you centralized control over the encryption keys used to protect your data. AWS KMS is designed so that no one, including the service operators, can retrieve plaintext master keys from the service. The service uses FIPS140-2 validated hardware security modules (HSMs) to protect the confidentiality and integrity of keys. For example, you can specify that all newly created Amazon EBS volumes be created in encrypted form, with the option to use the default key provided by AWS KMS or a key you create. Amazon S3 inventory can be used to audit and report on the replication and encryption status of objects for business, compliance, and regulatory needs. To learn more about using KMS to enable data encryption on S3, see How to use KMS and IAM to enable independent security controls for encrypted data in S3.
Monitoring & Oversight – AWS storage services provide ongoing monitoring, assessment, and auditing
Continuous monitoring and regular assessment of control environment changes and compliance are key to data storage oversight. They help you validate whether security and access settings and permissions across your organization’s cloud storage are in compliance with your security policies and flag non-compliance. For example, you can use AWS Config or AWS Security Hub to simplify auditing, security analysis, monitoring, and change management.
Configuration compliance monitoring via AWS Config – You can use AWS Config to assess how well your resource configurations align with internal practices, industry guidelines, and regulations by providing a detailed view of the configuration of AWS resources including current, and historical configuration snapshot and changes. AWS Config managed rules are predefined, customizable rules to evaluate whether your AWS resources align with common best practices. Config rules can be used to evaluate the configuration settings, detect and remediate violation of conditions in the rules, and flag non-compliance with internal practices. This helps demonstrate compliance against internal policies and best practices, for data that requires frequent audits. For example you can use a managed rule to quickly assess whether your EBS volumes are encrypted or whether specific tags are applied to your resources. Another example of AWS Config rules is on-going detective controls that check that your S3 buckets don’t allow public read access. The rule checks the block public access setting, the bucket policy, and the bucket access control list (ACL). You can configure the logic that determines compliance with internal practices, which lets you automatically mark IAM roles in use as compliant and inactive roles as non-compliant. To learn more about using AWS Config rule, see Setting up custom AWS Config rule that checks the OS CIS compliance.
Automated compliance checks via AWS Security Hub – Security Hub eliminates the complexity and reduces the effort of managing and improving the security and compliance of your AWS accounts and workloads. It helps improve compliance with automated checks by running continuous and automated account and resource-level configuration checks against the rules in the supported industry best practices and standards, such as the CIS AWS Foundations Benchmarks. Security Hub insights are grouped findings that highlight emerging trends or possible issues. For example, insights help to identify Amazon S3 buckets with public read or write permissions. It also collects findings from partner security products using a standardized AWS security finding format, eliminating the need for time-consuming data parsing and normalization efforts. To learn more about Security Hub, see AWS Foundational Security Best Practices standard now available in Security Hub.
Security and compliance reports via AWS Artifact – As part of independent oversight, third-party auditors test more than 2,600 standards and requirements in the AWS environment throughout the year. AWS Artifact provides on-demand access to AWS security and compliance reports such as AWS Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies that validate the implementation and operating effectiveness of AWS security controls. You can access these attestations online under the artifacts section of the AWS Management Console. To learn more about accessing Artifact, see Downloading Reports in AWS Artifact.
Data Protection – Data classification policies and procedures for discovering, and protecting data
It’s important to classify institutional data to support application of the appropriate level of security. Data discovery and classification enables the implementation of the correct level of security, privacy, and access controls. Discovery and classification are highly complex given the volume of data involved and the tradeoffs between a strict security posture and the need for business agility.
Controls via S3 Block Public Access – S3 Block Public Access can help controls across an entire AWS Account or at the individual S3 bucket level to ensure that objects do not have public permissions. Block Public Access is a good second layer of protection to ensure you don’t’ inadvertently grant broader access to objects than intended. To learn more about using S3 Block Public Access, see Learn how to use two important Amazon S3 security features – Block Public Access and S3 Object Lock.
Sensitive data protection via Amazon Macie – You can use Macie to discover, classify, and protect sensitive data like personally identifiable information (PII) stored in Amazon S3. Macie monitors data access patterns for anomalies and generates alerts when it detects a risk of unauthorized access or inadvertent data leaks. Tag Editor can be used to add tags to help identify S3 resources that are security sensitive or might be audited, assess their security posture, and take action on potential areas of weakness. To learn more about using Macie, see Classify sensitive data in your environment using Amazon Macie.
WORM data conformance via Amazon S3 Object Lock – Object Lock can help you meet the technical requirements of financial services regulations that require write once, read many (WORM) data storage for certain types of books and records information. To learn more about using S3 Object Lock, see Learn how to use two important Amazon S3 security features – Block Public Access and S3 Object Lock.
Alerts via Amazon GuardDuty – GuardDuty is designed to raise alarms when someone is scanning for potentially vulnerable systems or moving unusually large amounts of data to or from unexpected places. To learn more about GuardDuty findings, see Visualizing Amazon GuardDuty findings.
Note: AWS strongly recommends that you never put sensitive identifying information into free-form fields or metadata, such as function names or tags. The reason being any data entered into metadata might be included in diagnostic logs.
Effective configuration management program features, and practices
OCIE also noted effective industry practices for storage configuration, including:
- Policies and procedures to support the initial installation and ongoing maintenance and monitoring of storage systems
- Guidelines for security controls and baseline security configuration standards
- Vendor management policies and procedures for security configuration assessment after software and hardware patches
In addition to the services already covered, AWS offers several other services and capabilities to help you implement effective control measures.
Security assessments using Amazon Inspector – You can use Amazon Inspector to assess your AWS resources for vulnerabilities or deviations from best practices and produce a detailed list of security findings prioritized by level of severity. For example, Amazon Inspector security assessments can help you check for unintended network accessibility of your Amazon Elastic Compute Cloud (Amazon EC2) instances and for vulnerabilities on those instances. To learn more about assessing network exposure of EC2 instances, see A simpler way to assess the network exposure of EC2 instances: AWS releases new network reachability assessments in Amazon Inspector.
Configuration compliance via AWS Config conformance packs – Conformance packs help you manage configuration compliance of your AWS resources at scale—from policy definition to auditing and aggregated reporting—using a common framework and packaging model. This helps to quickly establish a common baseline for resource configuration policies and best practices across multiple accounts in your organization in a scalable and efficient way. Sample conformance pack templates such as Operational best practices for Amazon S3 can help you to quickly get started on evaluating and configuring your AWS environment. To learn more about AWS Config conformance packs, see Manage custom AWS Config rules with remediations using conformance packs.
Logging and monitoring via AWS CloudTrail – CloudTrail lets you track and automatically respond to account activity that threatens the security of your AWS resources. With Amazon CloudWatch Events integration, you can define workflows that execute when events that can result in security vulnerabilities are detected. For example, you can create a workflow to add a specific policy to an Amazon S3 bucket when CloudTrail logs an API call that makes that bucket public. To learn more about using CloudTrail to respond to unusual API activity, see Announcing CloudTrail Insights: Identify and Respond to Unusual API Activity.
Machine learning based investigations via Amazon Detective – Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that helps you to conduct faster, more efficient security investigations. To learn more about Amazon Detective based investigation, see Amazon Detective – Rapid Security Investigation and Analysis.
AWS security and compliance capabilities are well suited to help you review the SEC OCIE observations, and implement effective practices to safeguard your organization’s data in AWS cloud storage. To review and enhance the security of your cloud data storage, learn about these 13 AWS tools and capabilities. Implementing these wide variety of monitoring, auditing, security analysis, and change management capabilities will help you to remediate the potential gaps in security settings and configurations. Many customers engage AWS Professional Services to help define and implement their security, risk, and compliance strategy, governance structures, operating controls, shared responsibility model, control mappings, and best practices.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.