As stated in my previous blog, auditing is critical when it comes to verifying changes - both legitimate and malicious - to your backups. By recording and cons\tantly tracking backup storage activity, you stand a chance of ensuring that the security of your backups is in check. This blog takes you through some tips on how to set up and utilize Amazon Web Service (AWS) audit features for your backup storage.
Auditing is relative to the access controls that apply to your storage. Before thinking about auditing, it’s essential to have a pre-existing access control policy, or rather; access controls that have already been applied to your backup storage. AWS offers numerous ways to actualize your access control policy. Among the ways to implement your access control policy is to consider bucket and object ownership, resource operations, and managing access to resources.
An AWS resource is essentially an entity you can work with. Buckets and objects are resources and they are associated with subresources. Subresources that are relevant for access control are the policy and ACL subresources that are used to create resource-based policies as we will see later.
To access storage on AWS, you can use the following means to authenticate:
- Making requests using REST API.
- Making requests using AWS SDKs.
Using access keys (access key ID and secret access key) is the most common credential for accessing AWS storage. Backup Ninja requires you to specify an access key ID and a secret key. Also, you can use access keys to sign programmatic requests via the AWS SDK, AWS CLI, or AWS REST API. You can generate AWS access keys using the following steps:
- Logon to the IAM console.
- In the navigation bar on the upper right, choose your username, and choose My Security Credentials.
- Expand the Access keys section.
- Choose to Create New Access Key.
You can apply the credentials generated by applying them to Backup Ninja when setting up your cloud credentials as shown below.
AWS gives you a variety of options to define "who has access to what". You can use either of the following access policy options to give authorizations to your backups:
- Resource-based policies
- Access Control List (ACL) - Each bucket and object has an ACL associated with it. ACL’s can be used to grant basic read/write permissions to AWS accounts.
- Bucket Policy - This can be applied to a bucket to grant AWS account or IAM user permissions for an entire bucket and objects in it.
- User policies - You can create IAM users, groups, and roles in your account and attach access policies to them granting them access to AWS resources.
AWS enables you to get detailed access logs for your storage buckets. By default, server access logging is disabled when you create your bucket. Below are steps on how to enable logging:
- Logon to the AWS management console.
- Under the Services menu, select S3 which is under the Storage section of the menu. You should see your list of buckets.
- Select the desired bucket for which your wish to enable logging.
- In the details pane, click the Properties tab on the upper right side of the current page. This will display a Properties pane for the selected bucket.
- Find the Server access logging block and select it.
- Select the Enabled checkbox.
- Finally, click the Save button.
AWS provides very good features and guidelines that can be used to audit your backup storage. Below is a recap of the things you need to do as part of your audit operations:
- Review your storage IAM users, groups, and roles.
- Reviewing your AWS storage account credentials.
- Review your AWS S3 bucket policies and ACLs.
- Constantly monitor activity for your AWS account.