Amazon Web Services (AWS) has raised concerns over unusual encryption activities targeting Amazon S3 buckets.
The AWS Customer Incident Response Team (CIRT), along with automated security monitoring systems, recently detected an increase in unauthorized encryption attempts by threat actors using compromised customer credentials.
While no vulnerabilities in AWS services have been identified, the attacks leverage valid but unauthorized credentials to exploit server-side encryption with client-provided keys (SSE-C).
This method involves overwriting and re-encrypting customers’ data, raising significant data protection concerns.
To counter these threats, AWS recommends four key security practices to safeguard sensitive data:
1. Implement Short-Term Credentials
AWS emphasizes that eliminating long-term access credentials is the most effective defense against misuse.
Using features such as IAM roles, IAM Identity Center, and AWS Security Token Service (STS), customers can ensure applications use temporary, short-term credentials to securely access AWS resources.
This approach drastically reduces the risk of credential compromise.
2. Establish Data Recovery Procedures
To mitigate the risk of data loss due to overwriting or deletion, AWS advises enabling S3 Versioning, which stores multiple versions of an object within a bucket.
Additionally, using S3 replication or AWS Backup can help maintain copies of critical data across different AWS accounts or regions, ensuring faster recovery during incidents.
3. Monitor Access for Anomalies
AWS recommends robust monitoring using tools like AWS CloudTrail and S3 server access logs to detect unauthorized access patterns.
Creating CloudWatch alarms or automating corrective actions through Amazon EventBridge and AWS Lambda can further enhance detection and response capabilities.
4. Block SSE-C Usage When Unnecessary
For customers not relying on SSE-C, AWS suggests applying resource policies or resource control policies (RCPs) to block its usage.
Policies can be configured directly on S3 buckets or at the organizational level within AWS Organizations.
Proactive Mitigations Already in Place
AWS has implemented automatic security measures that have successfully blocked a large percentage of these unauthorized activities.
However, identifying malicious intent remains challenging when valid credentials are involved, making customer vigilance critical.
Continuing Security Commitment
AWS reassures customers that its teams, including the AWS CIRT and Amazon Threat Intelligence group, are actively monitoring and innovating to protect client environments.
“Our commitment to customer security is unwavering,” AWS stated, adding that it remains dedicated to building a secure cloud ecosystem for customers to innovate confidently.
AWS urges customers to immediately contact AWS Support if they notice unusual activity. Cooperation between AWS and its customers remains vital in combating evolving threat tactics.
%20has%20raised%20concerns%20over%20unusual%20encryption%20activities%20targeting%20Amazon%20S3%20buckets.){kind=link}