Yes, S3 now encrypts objects by default, but your job is not done yet
AWS announced that S3 now enables the “block public access” and “disable ACL” settings for all new buckets. It’s great to see these being enabled by default. But the points I raised in the post still stand.
The default encryption (SSE-S3) only protects against situations when someone has stolen data from AWS servers/disks (similar to the LastPass incident). It doesn’t protect you against your mistakes – e.g. leaving an existing bucket public, or someone compromising one of your developer’s credentials.
Encryption at rest has long been a cornerstone in data security and it’s something that everyone should take seriously. If an attacker is able to get a hold of your data, encryption at rest becomes your last line of defence.
For instance, in the recent LastPass security breach, the attacker was able to steal customers’ vault data after compromising one of LastPass’s employees’ cloud accounts. The only saving grace from this terrible situation was that the data was encrypted at rest using 256-bit AES.
There have been speculations that the attacker might have been able to break through the encryption and access the unencrypted data for some customers. Perhaps, through a combination of brute force and customers using weak or previously compromised passwords for their vault.
