Prevent Data-Focused Attacks

3 Critical Controls for Protecting Data from Ransomware Attacks in AWS

Chief Corvus Officer
November 15, 2021

S3 Encryption, Versioning, and MFA Delete are essential for ransomware resilience. 

We’re familiar with configuring security policies for networks and applications, but why would you also configure them for data? First, because data is what attackers are after. Second, because the movement of data in the cloud means we must be more direct in our approach as compared with on-premises infrastructure. Historically, data was far less mobile, more or less staying where we expected and designed it to be. In the cloud, data ebbs and flows at speeds, volumes, and varieties that on-premises solutions simply aren’t designed to address, increasing the risk of data breaches and leaks. Open Raven is a cloud-native data security platform designed to make data-centric policies easy for teams to enact.

In just a few clicks, security teams can automatically enforce security controls for specific data types, regardless of location. This allows security teams to configure data guardrails that don’t slow down other parts of the business. While the platform boasts over 150 default rules, we’ll focus on enforcing S3 Bucket Encryption, Versioning, and MFA Delete.

S3 Encryption, Versioning, and MFA Delete

As we’ve written about in a recent eBook, A Guide to Ransomware Resilience, Encryption At Rest, S3 Versioning, and MFA Delete are three effective controls in minimizing the impact and likelihood of ransomware attacks (in addition to good backups). If ransomware attackers can't access or delete your data, then you have achieved a good level of resilience against such attacks. Here's what the controls mean:

S3 Bucket Versioning keeps multiple versions of an object in the same bucket. This means you will be able to revert to versions of your files before they were deleted or changed, almost wholly eliminating the need to pay for decryption keys to regain access to your data.

MFA Delete is a setting that requires (1) user security credentials and (2) a valid serial number, a space, and the six-digit code displayed on an approved authentication device in any request to delete an object or to change the versioning state of a bucket. Such a control is a simple yet powerful way to prevent one of the primary pains caused by ransomware, data loss.

Encryption at Rest means that requests to Amazon will encrypt your objects before saving them on disks in its data centers, and will decrypt when you download the objects. This significantly reduces risks of doxxing and theft since attackers would first need to decrypt the data for it to be valuable in either case (Note: there are other rules to consider to contain breaches of admin accounts).

We've taken these controls, plus hundreds of others, and made them available as default rules that can be quickly enabled out-of-the-box. Here's how it works:

Step 1. Initial Setup and Configuration

First, connect your cloud to the Open Raven platform. Doing so requires an AWS account with a dedicated IAM role and read-only access to your cloud. Connections can also be made manually via CloudFormation or Terraform. Once verified, Open Raven will auto-discover and map all cloud assets, populating Maps and the Asset List. After the discovery has run, create a new auto-scan job by navigating to the Scans menu item and selecting “Create New Auto-scan Job”. This will begin identifying sensitive data types stored across discovered S3 buckets. Now we can move into creating a policy.

Step 2. Creating a Policy

Open Raven allows you to apply Policies to enforce your data security standards. This lets you both audit and monitor your cloud infrastructure for mismatches between data types and security configurations. 

Policies comprise of as many or as few rules as you would like to include. Rules can be selected from our list of over 150 built-in rules, or can be custom created using our 'policy as code' rules editor.

Create a Policy panel. Information like policy ID, name, description, and status will be entered on the left as well as the schedule for the policy.

Create a new policy and give it a recognizable name: "S3 Versioning, Encryption, and MFA Delete for all Personal Data".

Select a schedule for this policy to run—once, daily, weekly, monthly.

Finally, search for and add the S3 bucket versioning, encryption, and MFA delete rules to the policy and save.

Now, Open Raven will scan your cloud for the data and configuration conditions specified in your policies. In the event that conditions are not met, a new record in Violations will be created that includes all necessary information to verify, assess, and prioritize next steps.

Step 3. Violations and Alerts, Your Way

When Violations are found, warning icons will appear on Maps and new records will be shown on the Policy Violations page, as seen below.

Policy Violations page showing active violations including AWS Security Config, Data Scan Job Violations, Data Security Fundamentals, Data Store Encryption.

We recommend using our integration options, like Slack or Email, to route Violation alerts into your existing workflows. To do so, go to the Account Avatar, select Settings, Integrations, then select an option to have Alerts sent to Slack, email, or Webhooks and Eventbridge for more customized integrations.

Open Raven Integrations including email, Webhooks, 4Me, EventBridge, and Slack.

Step 4. Quickly Resolve an Issue

Alerts include all the necessary information to quickly assess the situation and prioritize actions including: account ID, region, bucket(s), object(s), impacted sensitive data types, and counts.

High Severity Violation panel showing the rule 'Financial data is not encrypted at rest' with a table of the assets with violations below.

Use the deep links directly into the relevant part of the AWS Console (to an account, bucket, or object) to further investigate or resolve the issue.

To enable S3 versioning for a bucket, use the deep link next to the bucket name in Open Raven to open the AWS console. From there, select Properties, locate Bucket Versioning, and select Edit. Change the setting to Enable, then save changes.

Edit Bucket Versioning in AWS. Can choose to suspend or enable bucket versioning.

Configuring encryption for buckets can be done in a number of ways depending on the type of encryption. In short, there are server-side and client-side options to consider depending on the resource(s) being encrypted. These options can be configured via AWS S3 Console, REST APIs, SDKs, CLI, or CloudFormation.

To enable MFA Delete, you must use either the AWS Command Line Interface (CLI) or the API, which you can read about here.

Interested to see more? Schedule a demo with one of our security experts.

Don't miss a post

Get stories about data and cloud security, straight to your inbox.