Accessing sensitive information

0

I have to run a step of lambda functions which requires sensitive information of the user and uploads the resulting file to the S3 bucket. This process need to be scheduled to run frequently. I want to make sure that the sensitive information and resulting file is only accessible by the user and not even the root user in any way possible. How to make sure that same code architecture can be setup in different AWS accounts and sometimes there could be possibility of code update.

2 Answers
0

The question here is not completely clear to me, but I can suggest a few items.

  1. Block public access to the bucket!
  2. Enable data encryption on the bucket!
  3. Control access to the bucket via a bucket policy.
  4. There are options to control the ownership of object in buckets.
profile pictureAWS
EXPERT
iBehr
answered 4 months ago
profile picture
EXPERT
reviewed 4 months ago
  • All the bucket-related mechanisms are useless against the root user of the account. Root has a hardwired override (only possible to countermand with an SCP) that allows it to modify or delete an S3 bucket policy. That would allow them to defeat all the bucket-related items you listed. The only thing root couldn't overrule is a KMS key policy, but they could simply make a copy of the Lambda function and modify it to deliver the data to a bucket they control instead, or any number of variations of that theme. Or, they could simply open a support ticket and ask support to reset the KMS key policy.

0

If you control the AWS Organizations organisation that the AWS accounts belong to that host the Lambda functions, IAM roles used as Lambda execution roles, their attached IAM policies, and the S3 bucket and its bucket policy, along with KMS keys for the S3 buckets or other related elements that you might be using, you could use a Service Control Policy (SCP) controlled at the organisation level to protect all those resources against changes, except by a deployment/management principal, likely an IAM role, which you would control and which you would separately protect against changes (including particularly the management role's assume role policy) with an SCP. SCPs are also effective at blocking the root user from performing those actions.

CloudFormation StackSets integrates with AWS Organizations in a way that makes it comparatively easy to deploy and update your code and associated elements across the accounts and regions you want.

It's useful to understand, however, that setting up the SCPs, identity-based policies, and resource-based policies such that all avenues for others to access or modify them are blocked can be quite intricate. Without an advanced level skillset in IAM, the setup isn't likely to end up airtight.

If you don't control the organisation, you aren't using one, or your adversary controls it, and the Lambda functions are having to reside in that untrusted account or org, there's no practical way for you to protect the data against those with control over the accounts/org.

EXPERT
Leo K
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions