On 22nd December 2021, AWS deployed a new version (v20) of AWSSupportServiceRolePolicy—used by a mandatory role for AWS Support access to all AWS Accounts.
In this policy, they added the action ‘s3:getObject’ which granted complete access to all customer data to the AWS support teams.
Note: AWS has now reverted the change, and the potential risk now stands mitigated.
Yes, you heard it right. A small policy change rollout internally by AWS gave access to your data in S3 buckets to the AWS support teams. Let us take a moment and reason this incident critically. Security incidents are not new, and neither are data breaches and ransomware attacks Worst case scenario - your S3 data could have been accessed by AWS Support teams if they really wanted to. Sensitive data getting into the wrong hands is not new, then what is new about this incident? This security incident was not deliberate. That’s new. So, here are a few nuggets that we can learn from this incident:
Fortunately, there are steps that you can take now to shield yourself from such threat vectors – intentional or unintentional. The objective is to keep your data encrypted in a way that allow you, and only you to control who can and cannot decrypt/access your data.
Here are a few ways to achieve that objective:
Note that even if the data was encrypted using AWS managed keys, this security event couldn’t have been prevented. Why so? Because with proper IAM access, which was the case here, the data would have been seamlessly decrypted if AWS support teams had tried to access it.
Fortanix is a data first company, and we empower you to protect your most important asset first - your global data, from one centralized place and give you unmatched control of your data security across public, private, and hybrid clouds, all that with an easy-to-use, automation-friendly solution loved by developers, security teams, and auditors.
Our flagship product DSM Cloud Data Control lets you manage the entire lifecycle of AWS Customer Managed Keys as well as for other clouds from a single pane of glass. It also empowers you to import (BYOK), automatically rotate, schedule delete, or delete the key material on demand – Kill Switch. Not only that, but you can also manage the AWS key policies as well as apply your own custom policies using our award-winning UI or rich APIs
Net-net, we need to understand that breaches won’t stop. You must take full control of your data wherever it goes. Our security platform with its plethora of inbuilt tools and technologies can help you secure and control your data at-rest, in-transit and in-use. We are also the leaders in Confidential Computing. However, you must act now. Our SaaS Trial only takes 5 minutes to setup. Try it out today, and don’t let such breaches spoil your Holiday! Happy Holidays!
Get our blog updates in your inbox: