Protecting Your S3 Data: Don't Learn the Lesson the Hard Way

This post originally appeared on the Divebell blog, titled Protecting Your S3 Data: Is Amazon Macie Really Your Best Option? by Divebell co-founder Vikram Shrowty. Divebell is an Exterro technology partner.

Blob stores like S3 tend to be a convenient dumping ground for all kinds of data. Unsurprisingly, vast quantities of data accumulate in them very quickly. The data typically includes log files, backup archives, documents, images, and big-data files like Parquet and Avro. Knowing what kind of sensitive data resides amidst all this — and if it is being used in a compliant manner — can be daunting.

To add to this, it isn’t easy to ascertain if all the content in an S3 bucket is adequately secured. Unlike most repositories with ACLs and permissions, S3 access can be controlled by free-form policies that are not amenable to standard entitlements-and-permissions audit processes.

To tackle these challenges, Amazon launched Macie a few years ago as a data protection system for S3 buckets. As with several security products launched by cloud vendors, it has been my experience that while these may allow you to to check “yes” on the compliance assessment form, they are found to be wanting when it comes to protecting your data.

I don’t make this assertion lightly. Here are the key reasons for my assertion:

1. The Heavy Lifting is Left to You

Yes, Amazon Macie detects sensitive data — but that’s it. It has no concept of policies, consent, legitimate and illegitimate uses of data, or remediation workflows. Users are handed a huge pile of findings and left to fend for themselves. The result: Most users do nothing.

2. Limited File Formats Supported

It merely supports about a dozen file formats. This is woefully inadequate considering there are hundreds of file formats that can house sensitive enterprise data.

3. Zero Visibility into Image Files