Ch3: Securing Storage

Services

Cloud Security Handbook

FIND OUT HOW TO
E F F E C T I V E LY S E C U R E
CLOUD ENVIRONMENTS
U S I N G AW S , A Z U R E ,
AND GCP

A U T H O R : E YA L E S T R I N
 Securing Storage Services
• In the previous chapter, we covered compute services. After compute services, the second most
common resource everyone talks about is storage – from object storage to block storage (which is also
known as instance attached storage), to file storage.
• We are using storage services to store our data.
• The following is a list of common threats that might impact our data when it is stored in the cloud:
– Unauthorized access
– Data leakage
– Data exfiltration
– Data loss
 Securing Storage Services
• As a best practice, we should always use the following countermeasures when storing data in the
cloud:
– Access-control lists (ACLs; note that each cloud provider has its own implementation) and Identity and Access
Management (IAM), to restrict access from our cloud environment to the storage service.
– Encryption at both transit and rest to ensure data confidentiality.
– Auditing to have a log of who has access to our data and what actions were performed on our data (for instance,
uploads, downloads, updates, deletions, and more).
– Backups or taking snapshots to allow us to restore deleted data or return to the previous version of our data (for
example, in the event of ransomware encrypting our data).
 Securing object storage Securing block storage

Securing the Container

Securing file storage
Storage Interface (CSI)

In this chapter, we will cover the following topics:

 Technical requirements

• For this chapter, you are required to have a fundamental understanding of object storage, block storage, and file storage.

• Object storage is a special type of storage that is meant to store data.

• Files (or objects) are stored inside buckets (these are logical concepts such as directories or logical containers).

• Access to files on object storage is either done through the HTTP(S) protocol API via web command-line tools or

programmatically using SDK tools.

• Object storage is not meant to store operating systems or databases (please refer to the Securing block storage section).
 Storage Types

Each storage type serves different purposes

 Securing Amazon Simple Storage Service
• Amazon Simple Storage Service (Amazon S3) is the Amazon object storage service.
• Best practices for conducting authentication and authorization for Amazon S3
– AWS controls access to S3 buckets using ACLs.
– AWS supports the following methods to access S3 bucket permissions:
• IAM policies: This allows you to set permissions for what actions are allowed or denied from an identity (for instance, a
user, a group, or a role).
• Bucket policies: This allows you to set permissions at the S3 bucket level – it applies to all objects inside a bucket.
• S3 access points: This gives you the ability to grant access to S3 buckets to a specific group of users or applications
 Best practices for conducting authentication and
authorization for Amazon S3
Here is a list of best practices to follow:
• Create an IAM group, add users to the IAM group, and grant the required permissions on the target S3 bucket to the target IAM
group.
• Use IAM roles for services (such as applications or non-human identities) that require access to S3 buckets.
• Restrict access for IAM users/groups to a specific S3 bucket, rather than using wildcard permissions for all S3 buckets in the AWS
account.
• Remove default bucket owner access permissions to S3 buckets.
• Use IAM policies for applications (or non-human identities)/service-linked roles that need access to S3 buckets.
• Enable MFA delete for S3 buckets to avoid the accidental deletion of objects from a bucket.
• Grant minimal permissions to S3 buckets (that is, a specific identity on a specific resource with specific conditions).
 Best practices for conducting authentication and
authorization for Amazon S3
Here is a list of best practices to follow:
• Use the bucket ACL's write permissions for the Amazon S3 log delivery group to allow this group the ability to write access logs
(for further analysis).
• For data that you need to retain for long periods (due to regulatory requirements), use the S3 object lock to protect the data from
accidental deletion.
• Encrypt data at rest using Amazon S3-Managed Encryption Keys (SSE-S3). This is explained in more detail in Chapter 7,
Applying Encryption in Cloud Services.
• For sensitive environments, encrypt data at rest using Customer-Provided Encryption Keys (SSE-C). This is explained, in more
detail, in Chapter 7, Applying Encryption in Cloud Services.
 Best practices for securing network access to
Amazon S3
• Because Amazon S3 is a managed service, it is located outside the customer's Virtual Private Cloud (VPC). It is important to
protect access to the Amazon S3 service.
• Here is a list of best practices to follow:
– Unless there is a business requirement to share data publicly (such as static web hosting), keep all Amazon S3 buckets (all tiers) private.

– To secure access from your VPC to the Amazon S3, use AWS PrivateLink. This keeps traffic internally inside the AWS backbone, through a
secure channel, using the interface's VPC endpoint.

– For sensitive environments, use bucket policies to enforce access to an S3 bucket from a specific VPC endpoint or a specific VPC.

– Use bucket policies to enforce the use of transport encryption (HTTPS only).

– For sensitive environments, use bucket policies to require TLS version 1.2 as the minimum.

– Encrypt data at rest using SSE-S3 (as explained in Chapter 7, Applying Encryption in Cloud Services).
 Best practices for conducting auditing and
monitoring for Amazon S3
• Auditing is a crucial part of data protection.
• As with any other managed service, AWS allows you to enable logging and auditing using two built-in services:
– Amazon CloudWatch: This is a service that allows you to log object storage activities and raise the alarm according to predefined activities
(such as excessive delete actions).
– AWS CloudTrail: This is a service that allows you to monitor API activities (essentially, any action performed on Amazon S3).

• Here is a list of best practices to follow:

– Enable Amazon CloudWatch alarms for excessive S3 usage (for example, a high volume of GET, PUT, or DELETE operations on a specific S3
bucket).
– Enable AWS CloudTrail for any S3 bucket to log any activity performed on Amazon S3 by any user, role, or AWS service.
– Limit access to the CloudTrail logs to a minimum number of employees, preferably those with an AWS management account, outside the scope
of your end users (including outside the scope of your users), to avoid possible deletion or changes to the audit logs.
 Best practices for conducting auditing and
monitoring for Amazon S3
• Here is a list of best practices to follow:

– Enable S3 server access logs to record all access activities as complimentary to AWS CloudTrail API-based logging (for the purpose of future

forensics).

– Use Access Analyzer for S3 to locate S3 buckets with public access or S3 buckets that have access from external AWS accounts.

– Enable file integrity monitoring to make sure files have not been changed.

– Enable object versioning to avoid accidental deletion (and to protect against ransomware).

– Use Amazon S3 inventory to monitor the status of S3 bucket replication (such as encryption on both the source and destination buckets).
 Securing block storage
• Block storage is a storage scheme like the on-premises Storage Area Network (SAN).
• It allows you to mount a volume (disk), format it to a common filesystem (such as NTFS for Windows or Ext4 for
Linux), and store various files, databases, or entire operating systems.
 Best practices for securing Amazon Elastic Block
Store
• Amazon Elastic Block Store (Amazon EBS) is the AWS block storage.
• It is common when working with EC2 instances, to attach an additional volume to store your data (separately from
the operating system volume). This is also known as block storage.
• Amazon EBS can be attached to a single EC2 instance and can be accessed from within the operating system.
• The traffic between your EC2 instance and your attached EBS volume is encrypted at transit (and is automatically
configured and controlled by AWS).
 Best practices for securing Amazon Elastic Block
Store
Here is a list of best practices for EBS volumes:
• Configure encryption by default for each region you are planning to deploy EC2 instances.
• Encrypt both boot and data volumes.
• Encrypt each EBS volume at creation time.
• Encrypt EBS volume snapshots.
• Use AWS Config to detect unattached EBS volumes.
• Use an IAM policy to define who can attach, detach, or create a snapshot for EBS volumes to minimize the risk of
data exfiltration.
 Best practices for securing Amazon Elastic Block
Store
Here is a list of best practices for EBS volumes:
• Avoid configuring public access to your EBS volume snapshots – make sure all snapshots are encrypted.
• For highly sensitive environments, encrypt EBS volumes using the customer master key (as explained in Chapter 7,
Applying Encryption in Cloud Services).
• Set names and descriptions for EBS volumes to better understand which EBS volume belongs to which EC2
instance.
• Use tagging (that is, labeling) for EBS volumes to allow a better understanding of which EBS volume belongs to
which EC2 instance.
 Securing file storage
• File storage is a piece of storage such as the on-premises network-attached storage (NAS).
• Each cloud provider has its own implementation of file storage, but at the end of the day, the basic idea of file
storage are described as follows:
– They offer support for common file sharing protocols (such as NFS and SMB/CIFS).
– They have the ability to mount a volume from a managed file service into an operating system to store and retrieve files, for
multiple VMs, in parallel.
– hey have the ability to control access permissions to the remote filesystem.
– They enable automatic filesystem growth.
 Securing Amazon Elastic File System
• Amazon Elastic File System (Amazon EFS) is the Amazon file storage service based on the NFS protocol.
Best practices for conducting authentication and authorization for Amazon EFS:
• AWS IAM is the supported service in which to manage permissions to access Amazon EFS.
Here is a list of best practices to follow:
• Avoid using the AWS root account to access AWS resources such as Amazon EFS.
• Create an IAM group, add users to the IAM group, and then grant the required permissions on the target Amazon
EFS to the target IAM group.
• Use IAM roles for federated users, AWS services, or applications that need access to Amazon EFS.
 Best practices for conducting authentication and
authorization for Amazon EFS
• Use IAM policies to grant the minimal required permissions to create EFS volumes or access and use Amazon EFS.

• When using IAM policies, specify conditions (such as the source IP) and what actions an end user can, along with
the mentioned condition, take on the target filesystem.

• Use resource-based policies to configure who can access the EFS volume and what actions this end user can take
on the filesystem (for example, mount, read, write, and more).
 Best practices for securing network access to
Amazon EFS
• Because Amazon EFS is a managed service, it is located outside the customer's VPC. It is important to protect
access to the Amazon EFS service.
Here is a list of best practices to follow:
• Keep Amazon EFS (that is, all storage classes) private.
• Use VPC security groups to control the access between your Amazon EC2 machines and the Amazon EFS mount
volumes.
• To secure access from your VPC to the Amazon EFS, use AWS PrivateLink, which avoids sending network traffic
outside your VPC, through a secure channel, using an interface's VPC endpoint.
• Use Amazon EFS access points to manage application access to the EFS volume.
 Best practices for securing network access to
Amazon EFS
Here is a list of best practices to follow:
• Use STS to allow temporary access to Amazon EFS.
• Use an IAM policy to enforce encryption at rest for Amazon EFS filesystems. You can do this by setting the value
of elasticfilesystem:Encrypted to True inside the IAM policy condition.
• For sensitive environments, use the EFS mount helper to enforce the use of encryption in transit using TLS version
1.2 when mounting an EFS volume.
• Encrypt data at rest using AWS-managed CMK for Amazon EFS.
• For sensitive environments, encrypt data at rest using a CMK.
 Best practices for conducting auditing and
monitoring for Amazon EFS
• Auditing is a crucial part of data protection.
Here is a list of best practices to follow:
• Enable Amazon CloudWatch alarms for excessive Amazon EFS usage (for example, a high volume of store or delete
operations on a specific EFS volume).
• Enable the use of AWS CloudTrail for any EFS volume to log any activity performed on the Amazon EFS API, including any
activity conducted by a user, role, or AWS service.
• Create a trail, using AWS CloudTrail, on any EFS volume to log events, such as a requested action, date, and time, requested
parameters, and more, for access to objects stored inside AWS EFS.
• Limit the access to the CloudTrail logs to a minimum number of employees, preferably those with an AWS management
account, outside the scope of your end users (including outside the scope of your users), to avoid possible deletion or changes
to the audit logs.
 Securing the CSI
• A CSI is a standard driver for connecting container orchestration systems such as Kubernetes to block and file
storage from various cloud providers.
Securing CSI on AWS
• Amazon Elastic Kubernetes Service (EKS) has a CSI driver for the following storage types:
– Block storage: EBS
– Managed NFS: EFS
– Parallel filesystem (for HPC workloads): Amazon FSx for Lustre
 Securing CSI on AWS
• Here is a list of best practices to follow:

• When creating an IAM policy to connect to a CSI driver, specify the storage resource name instead of using
wildcard.

• Use IAM roles for service accounts to restrict access to your pod.

• Always use the latest CSI version for your chosen storage type.

• When using the CSI driver for EBS and its snapshots, always set (in the YAML configuration file) the value of
encrypted to True and specify the Amazon KMS key ID (KmsKeyId). This allows the CSI driver to use a key from
Amazon KMS.
 Summary

• In this chapter, we focused on the various storage services in AWS ranging from object storage to block
storage, file storage, and, finally, container storage.

• In each section, we learned how to manage identity management (for authentication and authorization),
how to control network access (from access controls to network encryption), and how to configure
auditing and logging.

• In the next chapter, we will review the various network services in the cloud (including virtual
networking, security groups and ACLs, DNS, CDN, VPN, DDoS protection, and WAF).