S3

Ransomware in the cloud

eventName	Phase	Note
GetBucketVersioning	Impact	Highly useful should be limited usage in your environment
PutBucketVersioning	Impact	Highly useful should be limited usage in your environment

PutBucketVersioning

Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. With versioning you can recover more easily from both unintended user actions and application failures. Source

Event will show the caller username and target bucketName.

Recommendations

The following recommendations are tailored to the prevention, detection, response and recovery of a ransomware incident in AWS.

• Enable a trail in CloudTrail to store data in a S3 bucket which allows for longer data retention;

• Enabled CloudTrail for data events, this can generate a lot of events and comes with an added cost, prioritize based on where your most important data is stored;

• Limit the usage of long-term access key, where possible use IAM roles. E.g. use an IAM role for an application hosted on EC2 that needs to store data in an S3 bucket and not an access key;

• Protect your access keys by regularly rotating them and monitoring for abuse, follow best practices guide by AWS;
• Enable bucket versioning with MFA delete, this will limit the ability to change bucket versioning settings, because MFA is required;

• Use AWS Backup for immutable backups, excellent blog by AWS here.