Amazon S3 Ransomware Defenses [Cheat Sheet]

Amazon S3 Ransomware defenses

In the prior cheat sheet, we looked at Amazon S3 Ransomware Attacks. This time, let’s take a look at effective defenses.

Special thanks to Jason Kao from Fog Security for collaborating on these cheat sheets!

Cheat Sheet Download

You can download it (and feel free to share!), and we provide a breakdown below:

Defense Techniques

Defending against S3 ransomware comes down to 3 main approaches:

  1. Prevention
  2. Detection
  3. Recovery

For more info on how to effectively implement all 3, check out the sources listed at the end of this post.

Prevention

For prevention, we’re primarily looking at implementing the following.

IAM restrictions:

  • Bucket Policies
  • RCPs & SCPs
  • IAM least privilege


Data Deletion Prevention:

  • Object Lock
  • Versioning

Detection

Detection mainly comes down to the following.

Monitoring and alerting:

  • Monitor S3 activity via CloudTrail (including data events)
  • Create CloudWatch alarms
  • Set up Lambda functions for automated response

Audit:

  • Monitor KMS encryption keys
  • Perform regular security audits

Recovery

To help with recovery, we need to make sure the following are in place.

Backup data:

  • Cross-account with AWS Backup
  • Isolate via IAM and separate encryption keys

Simulations:

  • Simulate ransomware attacks
  • Test recovery procedures regularly

Testing and Tools

To help you test the effectiveness of your prevention, detection, and recovery efforts, here are 4 open source tools you can deploy:

  • RansomWhen
  • Stratus Red Team
  • Finders Keepers
  • YES3 Scanner

RansomWhen

KMS-based S3 ransomware detection

Stratus Red Team

Cloud attack simulation framework

Deploy this tool for free with our Hands-On Lab >

Finders Keepers

KMS key resource finder

YES3 Scanner

S3 Security Scanner

Deploy this tool for free with our Hands-On Lab >

Sources and more info

More AWS Security cheat sheets

Related Articles

Responses

Your email address will not be published. Required fields are marked *