preventing unintended bucket encryption

[wjquigs]

There has been recent media news about attackers obtaining AWS credentials for S3 bucket access and encrypting bucket contents for ransom. Please review this blog https://aws.amazon.com/blogs/security/p ... s3-objects and implement the relevant steps to avoid this problem.
Step 1 does not currently apply to VBR, although periodic key rotation is a best practice.
Step 2 works in conjunction with Veeam’s immutability feature (checkbox on the repository). Do not enable S3 Lifecycle Policies on Veeam repositories.
Step 3, monitoring resources, is a best practice for Veeam environments.
Implement step 4 by modifying IAM to block encryption on buckets used for Veeam backup repositories. The example resource policy is reproduced here.

Code: Select all

{
    "Version": "2012-10-17",    
    "Statement": [
        {
            "Sid": "RestrictSSECObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<your-bucket-name>/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption-customer-algorithm": "false"
                }
            }
        }
    ]
 }

These changes are simple and can protect you from this attack vector. Also, enabling object lock/immutability is a best practice for repositories storing critical or sensitive data.

William Quigley - AWS

[Mildur]

Hi William,

Thank you for sharing this information with our community.
We will review it with our QA/help center team to see if we can add this permission to our help center guides. Especially since the Amazon Guide for Veeam Backup & Replication already suggests this IAM permission in their sample policy.

Nonetheless, if you use buckets with object lock (immutable backup repositories), you should already be protected from this attack method.

Best,
Fabian