Skip to content
Technology

Blog: Guard Your Users Against a Data Breach with Best Practices for AWS S3 Storage

06/09/2023

Few people think about all of the data it takes to run even a simple app. That, of course, is why they hire a mobile app developer to help them make sense of it all. Not only does running an app require processing power, it requires storage, which is constantly accessed and rendered for your users. Whether you’re holding rich content like images and videos, or unstructured data and analytics from your users, your storage strategy is one of the primary components of any app development project.

Why Does Data Storage Matter? 

Your choice of data storage can have a major impact on how your app operates. Here are a few of the most salient points to consider:  

Speed: Any cloud storage option measures object latencies in milliseconds, which sounds plenty fast. However, when you’re transferring thousands of read requests per second and accessing hundreds of objects with every screen load, every millisecond counts. 

Functionality: Storage access is closely managed by metadata, user permissions, and hierarchies. Mismanaged files or objects can slow or even block app functionality at the moment your user needs it. 

Security: The flip side of functionality and speed is security. Open access enables speed and functionality but compromises security. Your company may never recover from the multifaceted consequences of a data breach. 

Cost: Most storage options charge not only according to how much real estate your data takes up on the server but how often you access it. Balancing attractive storage features against overall cost can call for hard decisions and/or creative solutions. 

Scalability: One of the primary benefits of cloud-based storage is the ability to scale up or down on demand, rather than managing your own server bank, which can require precise projections and investment to continue scaling without overreaching in cost. Cloud storage charges only for what you use, which is why it’s the go-to option, even for large companies.  

Getting to Know AWS’ S3

There are plenty of factors that will influence your decision. File, block, and object storage each have their own benefits and drawbacks. With unstructured data that cannot be organized into a relational database, object storage is usually the best option. Google, Amazon, and Microsoft all offer their own object or blob storage. We happily work with whatever option a client already has and likes. However, when it’s up to us, we usually pick AWS S3 storage from Amazon, which offers speed and functionality at a good value. Furthermore, as part of the AWS suite of products, it’s well-supported and massive enough to handle enterprise-level apps. 

S3’s bucket organization also offers greater peace of mind by providing a number of functions that facilitate better security without compromising functionality or speed. On the other hand, if mishandled, data stored with S3 can be vulnerable to breaches. That’s why it’s vital that you and your app development team understand these best practices. 

 

AWS S3

Best Practices for Data Security When Using S3

Here are a few tips that enable our team to keep our clients’ data (and the private information of their users) secure. 

1: Keep, Maintain, and Enforce Bucket Privacy Configurations

Bucket security misconfiguration has been at the heart of numerous widely-publicized data breaches. What’s amazing is that most of these past security breaches can’t even be considered “hacking”. If the buckets aren’t configured as private and Block Public Access isn’t enabled, then the information is out there in the world for anyone to access. You might as well leave the door to a safe ajar. As such, you would think that more companies would be vigilant regarding this easily preventable problem. Because cloud storage is a relatively new option, many established companies have no protocol in place to configure their bucket storage security, and many new companies simply don’t know what they don’t know. 

When a new bucket is created, it is private by default. In recent times, AWS has also made the Block Public Access feature automatically enabled, providing an additional layer of security to prevent public access to the bucket and its objects. Keeping these security settings in place, and re-establishing them as often as needed when additional access is temporarily granted, needs to be a foundational part of your security protocol. In case you’re not yet convinced, here’s a look at what happens when bucket privacy is misconfigured: 

Case Study #1: Breastcancer.org Left User Data Vulnerable 

A Pennsylvania-based nonprofit catering to cancer patients hosted over 2 million visitors on its website per month. In 2022, internet security watchdogs SafetyDetectives discovered that the website’s storage bucket was missing any authentication controls and left publicly available for anyone to find. The bucket contained roughly 150GB of data, including many sensitive images uploaded by users, often pertaining to medical diagnoses. U.S. law guards the privacy of health data. However, overlooking this small step of proper configuration and access control left the nonprofit vulnerable to lawsuits and violated the privacy of their users. 

Case Study #2: Airport Security Information Exposed

At least four airports in Colombia and Peru left security staff data in an unsecured AWS S3 bucket, leaving personal identification data available and airport security itself at high risk. Post-pandemic ransomware attackers have increasingly targeted airports and airlines as increased demand for travel coincides with updated cloud-based data storage that remains unsecured. With millions of travelers depending on airport security for their safety each day, this kind of vulnerability puts lives at risk. 

Case Study #3: McGraw Hill Student Data at Risk

This data vulnerability included information for more than 100,000 students, not to mention the source code and digital keys for the education company itself. Once again, the data was stored in unsecured AWS S3 buckets and discovered by an internet security company, which notified the company of the vulnerability. In total, over 20TB of data were at risk, comprising grades and personal contact information for thousands of students at notable universities throughout the United States. 

Each of these stories is from 2022 alone, and this is just a small sampling of bucket storage vulnerabilities by prominent companies during that time period. A piece of free advice—configuring your storage buckets for privacy is one of the simplest things you can do to improve your app data security on S3. Take action now to guard yourself and your users’ information. 

To secure your cloud storage buckets, follow Amazon’s detailed instructions here.  

2: Grant Temporary Object Access With Pre-Signed URLs 

Another practice that helps keep your S3 bucket storage secure is to utilize pre-signed URLs to give users temporary access to items in private S3 buckets. This way, there’s no need to change bucket privacy settings or grant users standard AWS security credentials. Instead, users are given a temporary pre-signed URL that allows access to a specific object for a very temporary period (i.e. one minute or less). This private, encrypted access point ensures security while still offering convenient access for your users. 

This function is often used by developers during a build, to allow others to access files in the moment without changing user permissions. However, it can be useful in a wide variety of scenarios. For example, a job searching site can enable someone to upload their resume and store it within the app (where it’s saved in bucket storage). Others can click on a button to request the resume and behind the scenes, program code generates a pre-signed URL so the user will be granted limited-time access to that resume in order to download it. The link to the resume will expire within the next couple of minutes, ensuring that any gaps in object access are re-sealed almost immediately. It’s a simple yet powerful way to control temporary access to your S3 objects. 

3: Carefully Control Permissions and Access Internally

This third tip is a smart practice in any kind of technology tool within your company––not just cloud storage. Among your own employees and your team of contractors and partners, role-based access should be implemented and carefully controlled. 

Many people on your team need some level of access to app storage in order to do their jobs. Whether they’re producing content, updating design, patching up code, or building new functionality on the app, they’ll need differing levels of access and control over the app’s stored data, source code, and user-generated content. User permissions should be set for the lowest level of access that it takes in order to get the job done. 

You can also improve access to data without compromising security using object replication. AWS S3's Cross-Region Replication (CRR) and Same-Region Replication (SRR) features can be used to create copies of your data across different buckets, which can improve data availability, backup and restore procedures, and provide additional protection against data loss.

Enjoy the Numerous Benefits of Cloud Storage…Safely! 

These are just a few S3-specific tips that can help you keep tighter control over your data storage. An experienced app development company will help you determine additional practices that will cover your bases and ensure compliance with industry-specific regulations. Regular audits can identify vulnerabilities and patch leaks that may occur over time. 

As you utilize cloud storage that helps your app scale over time at a great value, continuously ask yourself and your development team hard questions about security. It’s a vital part of proving yourself worthy of the trust your users give you and maintaining important relationships that help your business thrive.