As one of the largest cloud service providers in the world, Amazon Web Services (AWS) is an integral part of digital transformation for many organizations. It provides a wide range of services, from computing and storage to database and analytics, that allow companies to build and manage their applications with ease.
In response to a growing number of cyberthreats and data breaches, AWS has been implementing new security changes. Starting in April 2023, Amazon Simple Storage Service (S3) will introduce two new default security settings: automatically enabling Block Public Access and automatically disabling access control lists (ACLs) for all new S3 buckets.
Even if you already block public access to your S3 buckets, it’s worth understanding how these default changes may impact your cloud environment. In this blog post, we’ll discuss the upcoming AWS access changes and explain how to guarantee the security of your data.
Amazon offers several services and tools to ensure that only authorized users can access sensitive data stored in AWS. These tools typically help organizations manage permissions in AWS by creating policies and attaching them to certain identities or resources. Some of the top AWS access control tools include AWS Identity and Access Management (IAM), AWS Organizations, Amazon Cognito, and AWS Resource Access Manager (RAM).
These tools can grant, limit, and monitor access for employees and even for customers based on specific policies set by your organization. In general, the tools are based on the principle of least privilege, which helps prevent unauthorized access by limiting user privileges to only those necessary to perform their job functions.
The two AWS access changes are designed to automatically implement Amazon’s longstanding recommendations for bucket security. Once the changes are rolled out in April, all newly created buckets in the AWS region will have these security settings. They will be the new default for all buckets that are created using the S3 API, S3 CLI, AWS SDKs, or AWS CloudFormation templates.
According to AWS, the new default settings are intended to extend a simplified and secure access management posture to all new S3 buckets. The settings of existing buckets will not be changed.
The first new default setting is automatically enabling S3 Block Public Access for all new S3 buckets. This feature prevents unauthorized access to S3 buckets and minimizes the risk of accidental data exposure and breaches.
Specifically, Block Public Access provides controls across an entire AWS Account or across an individual S3 bucket to ensure that objects never have public access. It’s been a setting — though not a default setting — for buckets since 2018.
Although S3 buckets have always been private by default, automatically enabling the Block Public Access setting adds extra security by preventing the granting of public access to S3 buckets. In order to make a new S3 bucket public after April 2023, the bucket owner will have to either deliberately configure their buckets to be public or use access control lists (ACLs)… which brings us to the second change.
AWS is also changing their default setting for access control lists. As of April, ACLs will be disabled by default on all new S3 buckets. This change is designed to simplify the security configuration process for data stored in S3 and to minimize the risk of misconfigurations.
ACLs have been around since 2021, and they are used to control access to S3 buckets and objects within them. However, they can be complex to manage and can lead to misconfigured settings and even data breaches. By disabling them, AWS is hoping to prevent the accidental exposure of sensitive data — an unfortunately common occurrence.
For both access changes, the new default settings can be overridden by account administrators and developers. (Admins may have to update automation scripts, AWS CloudFormation templates, or other infrastructure configuration tools to do so.) In their blog post about the upcoming changes, however, AWS emphasizes that the default settings should generally be left enabled unless there’s a specific need to disable them.
The April 2023 AWS access changes are designed to simplify the security configuration process and minimize the risk of misconfigurations for S3 buckets. But some organizations need more advanced security and resilience for their mission-critical data.
ShardSecure’s holistic data control platform offers a way to achieve this security and resilience. Our technology prevents unauthorized reassembly of data by everyone from cloud storage admins to cyberattackers. It allows companies to keep their data secure from threats in whatever architecture they choose: multiple AWS buckets, a multi-cloud mix of AWS and other storage providers, or even hybrid configurations of AWS and on-prem data centers. Even if an existing AWS bucket not affected by the April access changes is accidentally left exposed, ShardSecure ensures that the data inside that bucket will remain unintelligible to unauthorized users.
Our platform also allows companies to leverage cost savings in the cloud. With ShardSecure, you can use lower-cost storage tiers like AWS S3 object storage without losing EFS-level performance or rewriting legacy applications.
To learn more about achieving greater security and cost savings in AWS, take a look at our resources page.
IAM Access Analyzer Guides You Toward Least-Privilege Permissions | AWS
Amazon Web Services (AWS) Data Breaches: Full Timeline Through 2022 | Firewall Times
Heads-Up: Amazon S3 Security Changes Are Coming in April of 2023 | AWS News Blog