AWS re:Inforce 2024
Improving Your Amazon S3 Security with Cost Effective Practices Com322

Title: AWS re:Inforce 2024 - Improving your Amazon S3 security with cost-effective practices (COM322)

Insights:

  • S3 Security Importance: S3 is a prime target for attackers because it stores critical data. Security breaches can lead to data loss, reputational damage, and legal issues.
  • Ransomware Threats: Ransomware attacks are increasing, and paying the ransom does not guarantee data recovery. Implementing robust security practices is essential.
  • Bucket Naming Conventions: Avoid using obvious names for S3 buckets that indicate their contents. This can make it easier for attackers to target valuable data.
  • Cost Management: Understanding and optimizing S3 storage classes can significantly reduce costs. Intelligent tiering can automatically move data to the most cost-effective storage class based on access patterns.
  • Intelligent Tiering: This storage class automatically transitions objects between different tiers based on access frequency, eliminating the need for manual data management and reducing costs.
  • Object Lock: S3 Object Lock provides an additional layer of security by preventing data deletion. It offers two modes: governance and compliance, with compliance mode providing the highest level of protection.
  • Versioning and Denial by Wallet: Versioning can be exploited by attackers to increase storage costs. Implementing lifecycle rules to limit the number of object versions can mitigate this risk.
  • Testing Object Lock: Before fully implementing Object Lock, test it with short retention periods and in governance mode to ensure it does not disrupt operations.

Quotes:

  • "Bad guys go to S3 because that's where the data is."
  • "Ransomware is just going nuts. If it isn't, it says by 2020, 31, an attack every two seconds."
  • "Don't advertise to the bad guys that that's what you're doing. The developers can get over it."
  • "Understanding the deep usage patterns of your data and explicitly programming for that is hard."
  • "Intelligent tiering is a storage class. Within intelligent tiering, there are tiers that correspond to the other storage classes."
  • "S3 object lock is the one thing you can do that will give you an absolute defense against an object being deleted."
  • "Denial by wallet is absolutely how I would do the attack."
  • "Imagine what it would take to move your entire company's infrastructure to a different account because someone clicked on the wrong button when they said they were going to save you money."
  • "Test object lock with a short retention period, like a week, and put it in governance mode."
Identify and Solve Security Risks Faster with Application Signals Cfs223Innovate W Confidence across Your Ai Powered Software Supply Chain Aps227 S