Sunday, March 13, 2016

AWS s3 bucket encryption audit

Storing sensitive information at AWS S3?- it's a must to encrypt your data at rest.
How?

  • do it yourself (client side encryption) and transfer to S3 already encrypted
  • ask AWS to do it for you (server side encryption). In this case you have 2 options: S3 managed encryption keys or KMS-managed encryption keys.

If you create a new bucket for sensitive data NEVER create it without AWS bucket  policy enforcing encryption: encryption is object level attribute at S3 and user specify (technically request) encryption during upload process. Policy will block all uploads if encryption not requested. Simple and Easy.. Except:

      You have existing S3 bucket with data uploaded before you enable this policy, you have mixed (encrypted and non encrypted objects) or just doing security audit. In this case you need to scan the bucket to find unencrypted objects. How? quite easy using  few python lines bellow:


import boto3
import pprint
import sys
boto3.setup_default_session(profile_name='prod')
s3 = boto3.resource('s3')
if len(sys.argv) < 2:
   print "Missing bucket name"
   sys.exit
bucket = s3.Bucket(sys.argv[1])
for obj in bucket.objects.all():
   key = s3.Object(bucket.name, obj.key)
   if key.server_side_encryption is None:
       print "Not encrypted object found:", key

Nice, Yep, But it will take almost forever to scan bucket that contains thousand or tens of thousand of objects. In this it would be nice to have some counters, progress bar, ETA , summary, etc.. So, vuala:

https://github.com/IhorKravchuk/it-security/blob/master/s3_enc_check.py


Small program providing all these features mentioned. Feel free to use it or request reasonable changes/modifications. 

1 comment: