jmg
/
blog
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The blog.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
107 Commits
1 Branch
4.6 MiB
 
 
 
 
Tree: 3e9df87cf1
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3e9df87cf1'
${ noResults }
blog/content/2018/03/unusable-insecurity.html

83 lines
4.3 KiB
Raw Blame History 

  1. ---

  2. title: Unusable Insecurity

  3. description: >

  4.   When people make security hard, no one will use it [properly].

  5. posted: !!timestamp '2018-03-16'

  6. created: !!timestamp '2018-03-16'

  7. time: 1:40 PM

  8. tags:

  9.   - security

  10. ---

  11. 

  12. Many people claim that security is hard, and in many cases it is hard,

  13. but that isn't an excuse to make it harder than it needs to be. There

  14. are many layers to security, but adding extra layers, or making security

  15. controls inscrutable is a great way to ensure insecurity. Security needs

  16. to be simple and straightforward to configure, and easy to understand.

  17. There may be knobs for advanced users, but defaults need to be simple and correct.

  18. 

  19. I recently looked at using S3 as a shared store for some data. I was

  20. using the account New Context created for me that had limited AWS

  21. permissions. Creating the S3 bucket was simple enough, and making it

  22. not-public was too, but then I wanted to create a user/API key that only

  23. had access to the S3 bucket. Per Amazon

  24. [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html),

  25. you should not share your account, but create new users for access. It

  26. turns out that I did not have the CreateUser permission. I involved a

  27. co-worker who did have permissions to create the user. Adding another

  28. person to the task makes things more complex through communication and

  29. their availability to work on it instead of their normal work.

  30. 

  31. As part of creating a user, you have to figure out what the Policy that

  32. you need to assign to the user. Amazon provides some

  33. [Bucket Policy Examples](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html),

  34. but none of them is a simple policy on granting read and write permissions

  35. to the bucket. There is an

  36. [Amazon Policy Generator](https://awspolicygen.s3.amazonaws.com/policygen.html)

  37. for helping you to create the policies, but it doesn't allow you to

  38. select buckets from your account (to simplify ARN [Amazon Resource Name]

  39. selection), and there are almost 70 actions provided in the selector.

  40. After some brief reading, I settled on a simple policy that I thought

  41. would allow the new user proper access: 4 permissions: PutObjects,

  42. GetObjects, ListObjects and RestoreObjects.

  43. 

  44. My co-worker created the user and applied the policy, but then I got an

  45. error handle code. Amazon does not provide an interface for turning on

  46. logging and/or querying why a request failed. Despite the error handle,

  47. I had ZERO insight into why the request failed. I could have involved

  48. AWS support, but now that would add yet another party in attempting to

  49. properly configure S3.

  50. 

  51. At this stage, I decided to give up, as I had already spent a few hours

  52. of my time, some of my co-worker's time, and a couple weeks due to

  53. various delays due to availability and other work. In this case, storing

  54. the data in S3 was more of a nicety, and I decided that checking the

  55. data into a private git repo was adequate compared to the complexities

  56. involved in configuring S3. git was a tried and tested way to store data

  57. and restrict access while S3 for this usage was not, and hard to

  58. configure.

  59. 

  60. After I wrote this blog post, a coworker linked me to the blog post titled

  61. [Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket](https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/).

  62. It is concerning that this blog post has not been integrated, nor linked

  63. to from any of the IAM or S3 documentation. This is a valuable resource

  64. that should not be hidden.

  65. 

  66. I'm clearly not the only one that has had issues configuring S3 buckets.

  67. The end of 2017 has shown a large number of organizations fail to

  68. properly secure their S3 buckets, leaving many terabytes of data open

  69. for public download. It is unacceptable that such a service is so

  70. difficult to configure. The site

  71. [https://s3stupidity.com/](https://s3stupidity.com/) lists the large

  72. number of breaches, many of which are by large companies who should

  73. have the technical chops (and $$) to properly configure it.

  74. 

  75. Security controls need to be simple and clear. Their descriptions need

  76. to be accurate and concise in what they do, and how they do it. Amazon

  77. does have a number of good resources, but they do not have a

  78. comprehensive guide for what each permission does. You cannot blame

  79. users for security failures when you make it next to impossible to

  80. configure properly.

  81. 

  82. Edited to remove a couple extra words.