Amazon S3 Ransomware Defenses [Cheat Sheet]
In the prior cheat sheet, we looked at Amazon S3 Ransomware Attacks. This time, let’s take a look at effective defenses.
Special thanks to Jason Kao from Fog Security for collaborating on these cheat sheets!
Cheat Sheet Download
You can download it (and feel free to share!), and we provide a breakdown below:

Defense Techniques
Defending against S3 ransomware comes down to 3 main approaches:
- Prevention
- Detection
- Recovery
For more info on how to effectively implement all 3, check out the sources listed at the end of this post.
Prevention
For prevention, we’re primarily looking at implementing the following.
IAM restrictions:
- Bucket Policies
- RCPs & SCPs
- IAM least privilege
Data Deletion Prevention:
- Object Lock
- Versioning
Detection
Detection mainly comes down to the following.
Monitoring and alerting:
- Monitor S3 activity via CloudTrail (including data events)
- Create CloudWatch alarms
- Set up Lambda functions for automated response
Audit:
- Monitor KMS encryption keys
- Perform regular security audits
Recovery
To help with recovery, we need to make sure the following are in place.
Backup data:
- Cross-account with AWS Backup
- Isolate via IAM and separate encryption keys
Simulations:
- Simulate ransomware attacks
- Test recovery procedures regularly
Testing and Tools
To help you test the effectiveness of your prevention, detection, and recovery efforts, here are 4 open source tools you can deploy:
- RansomWhen
- Stratus Red Team
- Finders Keepers
- YES3 Scanner
RansomWhen
KMS-based S3 ransomware detection
- Enumerates identities that can lock S3 buckets using KMS
- Detects occurrences of S3 ransomware using KMS
- GitHub: https://github.com/Permiso-io-tools/RansomWhen
Stratus Red Team
Cloud attack simulation framework
- Launch simulated cloud attacks
- Includes multiple S3 ransomware simulations
- Website: https://stratus-red-team.cloud
Deploy this tool for free with our Hands-On Lab >
Finders Keepers
KMS key resource finder
- Finds resources encrypted with specific KMS key
- Helps determine blast radius of compromised keys
- Website: https://github.com/FogSecurity/finders-keypers
YES3 Scanner
S3 Security Scanner
- Looks for potential S3 security issues related to access, encryption, and ransomware
- Website: https://github.com/FogSecurity/yes3-scanner
Deploy this tool for free with our Hands-On Lab >
Sources and more info
- Complete Guide to Ransomware Protection in S3 and KMS
- List of attack simulation tools
- Ransomware in Amazon S3: SSE-C (detection tips & tricks)
Responses