Discussions related to using object storage as a backup target.
Post Reply
wjquigs
Novice
Posts: 3
Liked: 2 times
Joined: Oct 12, 2023 6:37 pm
Full Name: William Q
Contact:

preventing unintended bucket encryption

Post by wjquigs » 2 people like this post

There has been recent media news about attackers obtaining AWS credentials for S3 bucket access and encrypting bucket contents for ransom. Please review this blog https://aws.amazon.com/blogs/security/p ... s3-objects and implement the relevant steps to avoid this problem.
Step 1 does not currently apply to VBR, although periodic key rotation is a best practice.
Step 2 works in conjunction with Veeam’s immutability feature (checkbox on the repository). Do not enable S3 Lifecycle Policies on Veeam repositories.
Step 3, monitoring resources, is a best practice for Veeam environments.
Implement step 4 by modifying IAM to block encryption on buckets used for Veeam backup repositories. The example resource policy is reproduced here.

Code: Select all

{
    "Version": "2012-10-17",    
    "Statement": [
        {
            "Sid": "RestrictSSECObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<your-bucket-name>/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption-customer-algorithm": "false"
                }
            }
        }
    ]
 }
These changes are simple and can protect you from this attack vector. Also, enabling object lock/immutability is a best practice for repositories storing critical or sensitive data.

William Quigley - AWS
Mildur
Product Manager
Posts: 10309
Liked: 2752 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: preventing unintended bucket encryption

Post by Mildur »

Hi William,

Thank you for sharing this information with our community.
We will review it with our QA/help center team to see if we can add this permission to our help center guides. Especially since the Amazon Guide for Veeam Backup & Replication already suggests this IAM permission in their sample policy.

Nonetheless, if you use buckets with object lock (immutable backup repositories), you should already be protected from this attack method.

Best,
Fabian
Product Management Analyst @ Veeam Software
Post Reply

Who is online

Users browsing this forum: No registered users and 11 guests