Ministry of Justice sets minimum security standards for AWS

Written by PublicTechnology staff on 17 June 2019 in News
News

Users of S3 storage warned against allowing public access, to tackle ‘leaky bucket’ risk

The Ministry of Justice has published security guidelines for its more than 120 Amazon Web Services (AWS) cloud computing accounts, designed to provide a “lowest common denominator” for security settings.

“We wanted to set the baseline at a good level, while catering for diverse architectures and applications, without creating unreasonable high-effort tasks for teams but ensuring we avoid common bad practice missteps,” according to newly published blogpost from senior security engineer Siddharthan Elangovan and Joel Samuel, a cybersecurity consultant working with the ministry.

They identified “S3 leaky bucket” as a common problem, referring to AWS’s Simple Storage Service (S3) which provides ‘buckets’ of online space for files, from which many organisations have suffered leaks due to poor configuration. The baseline bars users for making S3 buckets ‘world’ – meaning publicly – readable unless this is the specific intention. Usage is monitored centrally and the ministry will automatically remove ‘world’ access after a warning. Similar requirements are in place for AWS Compute services.


Related content


The baseline requirements also insist on use of GuardDuty, CloudTrail and Config, AWS’s threat detection, user tracking and configuration auditing services, on all accounts at all times. They also require all AWS objects to be tagged for ownership.

Users are banned from using resources outside the EU, and the service’s Identity and Access Management service must be used, with alerts when new accounts are created and idle ones suspended. When encryption is offered by AWS for a service, it must be enabled.

Elangovan and Samuel said that further security may be appropriate in some cases. “The baseline is our current minimum security posture for our MOJ AWS accounts – not what we think is a gold standard,” they wrote. “This helps set a bar but gives teams latitude for doing things differently when they need to.”

Research for PublicTechnology published in May found that the ministry was responsible for far more breaches of personal data than any other department, recording 3,184 in 2017-18.

Share this page

Tags

Categories

CONTRIBUTIONS FROM READERS

Please login to post a comment or register for a free account.

Related Articles

How big is the UK’s cyber skills gap?
7 July 2020

A major government-commissioned study found that about half of UK organisations are lacking basic security skills. PublicTechnology talks to the researchers behind it to find out where...

Welcome to Cyber Week
6 July 2020

Introducing a dedicated week of features, interviews and exclusive research

Letter from Australia: how the government got serious on cybersecurity
10 July 2020

CyberArk, our sponsor for PublicTechnology Cyber Week, writes about how industry and government are working together to meet Australia’s cyber challenges

Coronavirus has been a boon for cybercriminals
9 July 2020

Fake online shops, malware, phishing emails and ransomware attacks on hospitals have been among the scams perpetrated by bad actors during the pandemic

Related Sponsored Articles

Gloucestershire Hospitals NHS Trust Quickly Responds to COVID-19 with Citrix
18 June 2020

Locked down and forced to close clinics, the hospital trust enabled 2,000 employees to work from home and maintain continuity of services within 48 hours

University of Cambridge delivers business continuity with sustainable IT
11 June 2020

University of Cambridge chose Citrix Workspace to deliver an efficient, sustainable desktop, and gained work-from-home continuity when Covid-19 struck

Interview: CyberArk EMEA chief on how government has become a security leader
29 May 2020

PublicTechnology talks to Rich Turner about why organisations need to adopt a ‘risk-based approach’ to security – but first make sure they get the basics right

Use Your Own Device is the fast track solution the UK Government needs to mobilise its staff
28 May 2020

Stephen Twynam of Citrix argues that by adjusting Bring Your Own Device to Use Your Own Device, the sentiment shifts and the negative connotations of BYOD are alleviated