SEC08-BP04 Enforce access control
Enforce access control with least privileges and mechanisms, including backups, isolation, and versioning, to help protect your data at rest. Prevent operators from granting public access to your data.
Different controls including access (using least privilege), backups (see Reliability whitepaper), isolation, and versioning can all help protect your data at
rest. Access to your data should be audited using detective mechanisms covered earlier in this
paper including CloudTrail, and service level log, such as Amazon Simple Storage Service (Amazon S3) access logs. You should
inventory what data is publicly accessible, and plan for how you can reduce the amount of data
available over time. Amazon S3 Glacier Vault Lock and Amazon S3 Object Lock are capabilities providing
mandatory access control—once a vault policy is locked with the compliance option, not even the
root user can change it until the lock expires. The mechanism meets the Books and Records
Management requirements of the SEC, CFTC, and FINRA. For more details, see this whitepaper
Level of risk exposed if this best practice is not established: Low
Implementation guidance
-
Enforce access control: Enforce access control with least privileges, including access to encryption keys.
-
Separate data based on different classification levels: Use different AWS accounts for data classification levels managed by AWS Organizations.
-
Review AWS KMS policies: Review the level of access granted in AWS KMS policies.
-
Review Amazon S3 bucket and object permissions: Regularly review the level of access granted in Amazon S3 bucket policies. Best practice is to not have publicly readable or writeable buckets. Consider using AWS Config to detect buckets that are publicly available, and Amazon CloudFront to serve content from Amazon S3.
-
Enable Amazon S3 versioning and object lock.
-
Use Amazon S3 Inventory: Amazon S3 inventory is one of the tools you can use to audit and report on the replication and encryption status of your objects.
-
Review Amazon EBS and AMI sharing permissions: Sharing permissions can allow images and volumes to be shared to AWS accounts external to your workload.
Resources
Related documents:
Related videos: