AWS Strengthens Security with Default Encryption on S3, Is Your Data Fully Protected?

Originally published by Dig Security.

Written by Sharon Farber.

Executive summary

• As with any change to security policy, it’s important to consider it in the context of the shared security model.
• The ultimate responsibility for protecting sensitive data rests on the customer, rather than the cloud provider.
• Since January 2023, AWS has enabled encryption by default on Amazon S3.
• In recent weeks, we saw this change rolled out to many existing buckets.
• Encryption on the bucket level does not mean that all the data you store on S3 is encrypted. ‍
• DSPM tools can help you understand whether you are still storing sensitive data in unsecured ways, and address any potential vulnerabilities.

What happened?

In recent weeks, as part of our continuous monitoring of customer data assets, we detected a significant change in S3 encryption policies.

On January 5th, AWS announced that from this day forward, new objects uploaded to S3 will automatically have server-side encryption enabled (SSE-S3), unless the customer explicitly chooses another encryption option.

Broadly speaking, this is great news for data security. Unencrypted data on object storage is trouble waiting to happen. We think AWS has done the right thing by doing the same with S3.

However, it's important to understand that objects uploaded before the Encryption-by-Default implementation remain unencrypted, which we will clarify in more detail below.

Encryption settings on the bucket level do not mean all your data is encrypted

It’s important to understand that while you now have encryption enabled on all your S3 buckets, this encryption does not automatically apply to older files. As AWS notes elsewhere: “Objects uploaded before default encryption was enabled will not be encrypted.” If you’re monitoring configuration on the bucket level – e.g., using GetBucketEncryption – you might receive the wrong impression that everything in the bucket is encrypted. But this is not the case, as we’ve summarized below:

This has the potential to be a high-risk incident. How should these changes impact your overall data security strategy?

Cloud providers should be lauded for their ongoing efforts to improve their customers’ security posture – but when it comes to sensitive data, the buck always stops with you (as the organization that owns the data).

AWS, like all public cloud providers, operates according to the Shared Responsibility Model – wherein the cloud provider is responsible for protecting the infrastructure that runs the services, while the customer maintains responsibility for the way they use these services. This diagram is taken from the relevant AWS page, but you’ll find similar ones by Azure and Google:

The same page explicitly states that:

“Customers are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions.”

This is not a mere formality. If your customers’ data is unintentionally made public, it’s not the cloud provider that will face the brunt of the reputational and financial consequences.

While this specific change to encryption policies was a net positive, it highlights the control that cloud providers have over the posture of your most sensitive data assets – and the way they can roll out major changes with or without prior notice. Having the internal knowledge, tools, and capabilities to protect your data remains crucial.

In fact, Amazon S3 announced that starting in April 2023, all new S3 buckets will be automatically configured with Block Public Access and with S3 access control lists (ACLs) disabled, while existing buckets will not change. Our friends at AWS Security tell us that these new defaults align with longstanding Amazon S3 best practices. Stay tuned as this is another topic we plan to discuss in more detail.

Minimizing data risks from unencrypted cloud storage

• Now is as good as ever a time to ensure that you are not storing any kind of sensitive information (PII, PCI, HIPAA, etc.) in unencrypted cloud storage. Data security posture management (DSPM) can help you identify these risks.
• In order to encrypt existing objects on AWS S3, AWS has recommended a method using S3 Inventory, AWS Athena, and S3 Batch Operations.