Amazon S3 is an immensely popular backup storage destination. If you are an MSP securing customer data in S3, there are three main points to consider:

  1. Securing an account on Amazon Web Services
  2. Securing the data storage bucket Amazon S3
  3. Maintaining network endpoint security

In this article, we will discuss points 1 and 3: Securing your account on Amazon Web Services using Identity and Access Management (IAM) and securing your data on the endpoint. To learn more about point 2 (protecting your data in AWS), refer to this comprehensive S3 Security guide.

How to Secure Your Backup to Amazon S3
AWS Account Security

If you choose to use Amazon S3 for backup storage, there are two security aspects to consider:

  • AWS account security
  • Accessing the Amazon S3 buckets

AWS offers various features to help secure both items.

For securing your bucket and performing an audit, AWS allows you to enable S3 bucket logging and server-side encryption.

For securing your account, you need to configure the AWS Access and Identity Management service (AWS IAM).

Configuring AWS Access and Identity Management Service (IAM)

Amazon Web Services comes with a root account. One of the unique features of this account is that it has access to all other services. Therefore, you should create user accounts with sufficient permission for each service you need to use, and use those user accounts instead of a root account. In order to create these user accounts, you can use AWS Access and Identity Management service.

Don’t Use Root Keys

Root access and secret keys can control all services in AWS. They do not exist until you create them manually, while logged under a root account. AWS themselves don’t recommend you to create these keys, and neither do we.

Configure Multi-Factor Authentication (MFA)

Given that the user’s root account has tremendous power in the AWS because it has access to all services, you must carefully protect it. Choosing a strong password for the root account and configuring multi-factor authentication is recommended. And never give this information to anyone.

Amazon S3 Buckets Security

AWS has several features and services that allow you to secure data in your Amazon S3 buckets.

Server-side encryption (SSE)

Server-side encryption (SSE) automatically encrypts data uploaded to the S3 bucket, and also restricts download access only to users with sufficient permission.

S3 bucket logging

This tool keeps logs of all the activities on the S3 bucket, thus providing management and monitoring facility for multiple files, buckets, and users.

Don’t make buckets public

By default, AWS does not allow public access to your data, but you can enable it manually. We don’t recommend doing so as most data breaches happen when someone grants public access to files. If you need to share data with a third party, create a dedicated IAM user with limited access.

Key Management Service (KMS)

This tool allows you to create and manage encryption keys; without key IDs, no one can get access. Therefore, if the user account is compromised, but the key ID is safe, your data is also safe.

Endpoint and Transfer Security

Although Amazon provides many services for server-side data encryption, files still can be easily compromised on the user's end. There are three ways to protect your data against the main dangers:

File encryption against direct data breaches

To ensure the secure transfer of data and endpoint security, you need to have all of your data encrypted. This secures the data so as to make sure it is transferred safely to the intended recipient.

Filename encryption

Another smart way to ensure that all your files remain safe and secure, especially during delivery, is to encrypt the filenames as well. Both these options are available in Amazon S3 bucket security.

Secure transfer channels to prevent transfer breaches.
3-2-1 Backup Strategy

To provide high-level data availability, we recommend following a 3-2-1 backup strategy, which involves creating three copies of your data. One is the original dataset and two others are backups. The copies must be stored on two physically independent devices (such as flash, external and cloud storage) with no cross-data synchronization. At least one of these copies should be saved outside the primary data center or office to secure against large-scale disasters such as flooding, fire, etc.

To conclude, if you have:

  • An antivirus program that is up-to-date
  • Firewall protection
  • Encryption on files and filenames
  • Encrypted data transfer
  • Amazon S3 SSE
  • A user structure that requires the least amount of permissions in AWS IAM

Then your chances of losing data due to poor security are minimal.

To find out more about Amazon S3 Backup Security, refer to our comprehensive guide.

Doug Hazelman
VP Technical Marketing