SEC08-BP04 Enforce access control
To help protect your data at rest, enforce access control using mechanisms, such as isolation and versioning, and apply the principle of least privilege. Prevent the granting of public access to your data.
Desired outcome: Verify that only authorized users can access data on a need-to-know basis. Protect your data with regular backups and versioning to prevent against intentional or inadvertent modification or deletion of data. Isolate critical data from other data to protect its confidentiality and data integrity.
Common anti-patterns:
-
Storing data with different sensitivity requirements or classification together.
-
Using overly permissive permissions on decryption keys.
-
Improperly classifying data.
-
Not retaining detailed backups of important data.
-
Providing persistent access to production data.
-
Not auditing data access or regularly reviewing permissions.
Level of risk exposed if this best practice is not established: Low
Implementation guidance
Multiple controls can help protect your data at rest, including access (using least privilege), isolation, and versioning. Access to your data should be audited using detective mechanisms, such as AWS CloudTrail, and service level logs, such as Amazon Simple Storage Service (Amazon S3) access logs. You should inventory what data is publicly accessible, and create a plan to reduce the amount of publicly available data over time.
Amazon S3 Glacier Vault Lock and Amazon S3 Object Lock provide mandatory access control for objects in Amazon S3—once a vault policy is locked with the compliance option, not even the root user can change it until the lock expires.
Implementation steps
-
Enforce access control: Enforce access control with least privileges, including access to encryption keys.
-
Separate data based on different classification levels: Use different AWS accounts for data classification levels, and manage those accounts using AWS Organizations.
-
Review AWS Key Management Service (AWS KMS) policies: Review the level of access granted in AWS KMS policies.
-
Review Amazon S3 bucket and object permissions: Regularly review the level of access granted in S3 bucket policies. Best practice is to avoid using publicly readable or writeable buckets. Consider using AWS Config to detect buckets that are publicly available, and Amazon CloudFront to serve content from Amazon S3. Verify that buckets that should not allow public access are properly configured to prevent public access. By default, all S3 buckets are private, and can only be accessed by users that have been explicitly granted access.
-
Use AWS IAM Access Analyzer: IAM Access Analyzer analyzes Amazon S3 buckets and generates a finding when an S3 policy grants access to an external entity.
-
Use Amazon S3 versioning and object lock when appropriate.
-
Use Amazon S3 Inventory: Amazon S3 Inventory can be used to audit and report on the replication and encryption status of your S3 objects.
-
Review Amazon EBS and AMI sharing permissions: Sharing permissions can allow images and volumes to be shared with AWS accounts that are external to your workload.
-
Review AWS Resource Access Manager Shares periodically to determine whether resources should continue to be shared. Resource Access Manager allows you to share resources, such as AWS Network Firewall policies, Amazon Route 53 resolver rules, and subnets, within your Amazon VPCs. Audit shared resources regularly and stop sharing resources which no longer need to be shared.
Resources
Related best practices:
Related documents:
Related videos: