If you are using Amazon Elastic Block Storage (AWS EBS), you should consider checking your security settings. As it turns out, EBS has a public mode that can expose your data to all Internet users.
An analyst from cybersecurity firm Bishop Fox presented an alarming report during the latest Def Con conference. He discovered that AWS EBS’s public mode makes virtual hard disks accessible to Internet users. Amongst the exposed data were encryption keys, passwords and live websites.
What Is AWS EC2?
AWS EC2 is an Amazon service that offers storage, computing and processing. You can run applications by using EC2, increasing and decreasing instance capacity through the EC2 interface. Below, you’ll find an overview of EC2 key features.
Bare metal instances
Bare metal instances are useful for applications that need a non-virtual environment for security or support purposes. These instances are also flexible and scalable like other EC2 virtual instances. You can use bare metal instances with AWS EBS.
You can easily optimize the performance and cost of EC2 by using the auto scaling option. This feature enables you to configure scaling settings according to workload demands.
What Is AWS EBS?
Amazon EBS is a block storage service. You can attach ebs volumes to Amazon EC2 instances, and this allows persistent data storage.
Amazon EBS offers four types of volumes divided into two categories:
- SSD-backed volumes—this category includes the General Purpose volumes and high-performance Provisioned IOPS volumes. Solid State Drives replace mechanical hard disks with flash-based memory. This type of memory is often faster than hard disk drives.
- HDD-backed volumes—hard disk drives use mechanical platters to access data. It is typically slower than the newer SSD. This category includes Throughput Optimized volumes for frequently accessed data. It also includes the less expensive type, the Cold HDD for data that you don’t need frequently.
AWS EBS Snapshots
Amazon EBS enables you to save a copy of EBS volumes via snapshots. The snapshots function as a point-in-time backup of the data contained in the volume. EBS snapshots are incremental, storing only the changed blocks. You can backup the last version of the volume using a snapshot and delete the volume. Moreover, if you later need the data contained in the volume, you can restore it from the snapshot.
Some of the key features of AWS EBS Snapshots:
- Direct access to EBS volumes data—once you create a volume from a snapshot, the attached instance can instantly access the volume.
- Can use it to resize EBS volumes—when you create a new volume from a snapshot, you can configure a different size for the new volume.
- Shareable—you can share snapshots within your environment or with the AWS community. While other users may create their Amazon EBS volumes from the snapshots you shared, this doesn’t impact your original snapshot. You can manage the privacy of your snapshots by modifying snapshots permissions.
- Supports multi-region replication—you can replicate snapshots across AWS regions. This helps you achieve high availability. These features are available for any snapshot, including those shared with you, and those offered by the AWS Marketplace.
Understanding the AWS Model of Shared Responsibility
Amazon operates under a shared responsibility model, like other major cloud providers. This model means that AWS takes responsibility for the security of the platform while the customer is responsible for securely configuring the environment and control the access to the organization’s data.
- Amazon’s responsibility—AWS focuses on the security of the AWS infrastructure, protecting its services against threats. This includes Regions, Availability Zones, and Edge Locations. Amazon ensures the security of the software and hardware used to provide its services. This is known as security “of” the cloud.
- Customer’s responsibility—the customer, on the other hand, is responsible not only for using the AWS platform securely but also to prevent vulnerabilities due to misconfigurations and access issues. For example, the customer is responsible to apply multi-factor authentication. The customer is responsible for security “in” the cloud.
AWS EBS Security Best Practices
EBS volumes can be vulnerable to attacks if not protected properly. Below you can find a number of best practices you can follow to secure your EBS volumes from attackers.
1. Enable Encryption by Default
You can ensure all new volumes are encrypted by enabling encryption by default. These settings are specific to individual regions in your account. You don’t need to specify encryption for every volume you create.
2. Disable EBS Public Snapshots
This is perhaps the most important practice to protect your data. You should disable the public mode of your EBS snapshots. This way the data is not accessible to all AWS accounts and you can prevent accidental leaks.
3. Encrypt EBS volumes for app tier
Ensure all AWS EBS volumes attached to application instances are encrypted. You can do this from the AWS Management Console, after you configure your storage requirements. You can select at this stage the KMS CMK key you wish to use.
4. Encrypt with Customer Master Keys
Select KMS Customer Master Keys when encrypting volumes. This way you can have control of the data encryption and decryption process. AWS managed keys which are created by AWS services are free. Select KMS is a paid service.
5. Encrypt the Snapshots
When you create a snapshot, from an encrypted volume, the snapshot is encrypted as well. However, you can re-encrypt a snapshot with a different key. If you create a snapshot from an unencrypted model you should encrypt them. You can find a tutorial on how to copy and encrypt a snapshot in the official aws documentation.
6. Clean EBS Volumes
When your storage space is optimized it is easier to maintain and protect. Unused or idle volumes not only take up storage but can fail, causing data loss. In addition, when you stop an EC2 instance, the attached volume continues running. If you don’t need this data, you can identify and delete these unattached modules.
7. Delete old snapshots
Sometimes users create and share snapshots and forget to delete old copies. Since each snapshot contains the latest version of the volume, you should eliminate old snapshots, to optimize storage and security.
8. Encrypt web-tier EBS
You should ensure all the volumes attached to web-tier EC2 instances are encrypted, to prevent malicious intruders from entering the system. When you attach an encrypted volume to a web-tier EC2 instance, the data in the volume and the snapshots are encrypted as well.
Whether you are just starting with AWS or you are already a seasoned user, protecting your EBS volumes through these practices can help you prevent data leaks. Ensuring your cloud storage is secure is crucial for the continual health of your network.