Bot of the Week: Exposed Public Snapshots
[To learn more about this Bot, read this blog post by Thomas Martin]
Automatically delete any snapshot exposed to the public as soon as it’s detected. Any time a new snapshot is identified or an existing snapshot is modified, it will be inspected to identify if it is marked for public access and take appropriate automated action to remediate.
Why do I care:
Imagine for a moment that your company has an EBS volume with customer credit card data, or Personally Identifiable Information (PII) about your customers and/or employees. An administrator wants to share this snapshot with another account for backup purposes, but instead of adding the secondary AWS account for sharing, the admin marks the snapshot as public. This is a gold mine for malicious actors, and could be a catastrophic and embarrassingly legal/PR disaster for the company.
In a recent article by The Next Web it was identified that droves of AWS users are carelessly leaking sensitive data via this feature. In a response to the article, AWS quickly released a new Trusted Advisor check, which when enabled will alert administrators of the account of the issue. It’s a good move by AWS, and honestly is something which likely should have been made available to the public long ago and it doesn’t take action to fix the problem in real time.
Background on Cloud Storage:
Storage has always been a challenge. AWS pioneered scalable storage solutions in the cloud, both for object storage (S3) and block storage (EBS). EBS volumes are network attached volumes which can be attached to an instance. These allow data to be persisted through instance lifecycle controls including stop, start and resizing. They come in a variety of flavors including general purpose SSD, magnetic and even provisioned IOPS for those I/O intensive workloads. They can even be encrypted using Amazon’s Key Management Service, providing improved security and data protection.
AWS provides the ability to create snapshots (backups) of data on these EBS volumes, and persists them into S3 at a fraction of the cost (~90% cheaper than the volume). This data can be retrieved at anytime, is only charged for the incremental difference between snapshots and can be even be shared with other AWS accounts and/or the public. This last piece is extremely important and should not be overlooked. With just a few clicks in the AWS console you can mark your snapshot as Public which in essence allows any AWS customer around the World to make a copy of the snapshot and begin using it.
There are very few circumstances where an organization would want to make their data available to the public. One of the only legitimate scenarios where this features is used is with AMIs (Amazon Machine Images). AMIs enable the quick provisioning and deployment of an Operating System to EC2 instances. For companies such as RedHat, Microsoft and Canonical who routinely create offerings of their OS for the public to use, it makes sense to have these OS snapshots available to every AWS customer.
How DivvyCloud Bots Address Public Snapshots and Other Compliance Issues:
DivvyCloud has responded to this security risk by providing automatic checks via our BotFactory automation platform. A new automation Bot was put in place to routinely check for this security gaff, and it does it globally across your entire cloud footprint. Unlike AWS Trusted Advisor which can be painful to track across multiple cloud accounts, the DivvyCloud check gives you a single pane of glass view across all connected public/private cloud accounts, and surfaces the issue immediately upon login. The image below illustrates what a user would see upon logging into the tool. This list shows all the compliance and security issues you want to track including Exposed Public Snapshots (5th one down).
BotFactory goes a step further though, and additional actions beyond simple visibility can be configured to eradicate these security issues, and more importantly keep them from occurring moving forward. As you can see in the example Bot’s configuration below, the Exposed Public Snapshot will automatically delete the bad snapshot as soon as it’s detected (hours = 0). Any time a new snapshot is identified or an existing snapshot is modified, it will be inspected to identify if it is marked for public.
Fine Control and Flexibility in Defining Policy and Automated Actions:
As with all Bot’s, this policy can be fine tuned. Additional actions/exclusions can be put in place if there’s a valid reason why a handful of public snapshots must exist across the organization’s cloud footprint. Another example of an action would be to not delete the snapshot, but to automatically revert the permissions to a private snapshot and send notification to the IT team for further analysis/triage.
Effective and autonomous management of AWS S3 snapshots is possible, and ensuring that organizational cloud footprints aren’t exposing themselves to leaking sensitive data requires but a little help from Divvy’s automation Bots.