Published on PublicTechnology.net (https://www.publictechnology.net)

Home > Ministry of Justice sets minimum security standards for AWS

Ministry of Justice sets minimum security standards for AWS

Written by PublicTechnology staff on 17 June 2019 in News
News

Users of S3 storage warned against allowing public access, to tackle ‘leaky bucket’ risk

The Ministry of Justice has published security guidelines for its more than 120 Amazon Web Services (AWS) cloud computing accounts, designed to provide a “lowest common denominator” for security settings.

“We wanted to set the baseline at a good level, while catering for diverse architectures and applications, without creating unreasonable high-effort tasks for teams but ensuring we avoid common bad practice missteps,” according to newly published blogpost [1] from senior security engineer Siddharthan Elangovan and Joel Samuel, a cybersecurity consultant working with the ministry.

They identified “S3 leaky bucket” as a common problem, referring to AWS’s Simple Storage Service (S3) which provides ‘buckets’ of online space for files, from which many organisations have suffered leaks due to poor configuration. The baseline bars users for making S3 buckets ‘world’ – meaning publicly – readable unless this is the specific intention. Usage is monitored centrally and the ministry will automatically remove ‘world’ access after a warning. Similar requirements are in place for AWS Compute services.


Related content

  • Which government department suffers the most data breaches? [2]
  • Report reveals massive spike in Home Office data breach reporting following GDPR [3]
  • Government commits £500m to defence innovation scheme [4]

The baseline requirements also insist on use of GuardDuty, CloudTrail and Config, AWS’s threat detection, user tracking and configuration auditing services, on all accounts at all times. They also require all AWS objects to be tagged for ownership.

Users are banned from using resources outside the EU, and the service’s Identity and Access Management service must be used, with alerts when new accounts are created and idle ones suspended. When encryption is offered by AWS for a service, it must be enabled.

Elangovan and Samuel said that further security may be appropriate in some cases. “The baseline is our current minimum security posture for our MOJ AWS accounts – not what we think is a gold standard,” they wrote. “This helps set a bar but gives teams latitude for doing things differently when they need to.”

Research for PublicTechnology published in May [2] found that the ministry was responsible for far more breaches of personal data than any other department, recording 3,184 in 2017-18.

Tags
Cloud [5]
Cybersecurity [6]
Policy [7]
Categories
Business and industry [8]
Defence and Security [9]
#block-views-events-popup-block{ position: fixed; bottom: -30px; padding: 25px 22px; width: 360px; max-width: calc(100% - 30px); text-align: center; border-radius: 0 4px 0 0; color: #fff; background: rgb(0, 170, 200) none repeat scroll 0% 0%; -ms-transform: translateY(100%); -webkit-transform: translateY(100%); transform: translateY(100%); -webkit-transition: all .35s ease-in-out; transition: all .35s ease-in-out; z-index: 2; } #block-views-events-popup-block.show{ bottom:10px; transform:none; -webkit-transform:none; } #block-views-events-popup-block a.btn.btn--outlineWhite { border-color: #fff; color: #fff; background: transparent; } #block-views-events-popup-block .events-popup-close{ position: absolute; cursor: pointer; top: -30px; left: 0; height: 32px; padding: 7px 20px; border-radius: 4px 4px 0 0; color: #fff; background: rgb(0, 170, 200) none repeat scroll 0% 0%; font-size: 13px; } #block-views-events-popup-block .events-popup-close .icon--events-popupClose{ padding-left: 10px; font-family: inherit !important; } #block-views-events-popup-block .icon--events-popupClose:before { content: ''; width: 12px; height: 12px; margin: -1px 7px 0 0; background: url(https://www.publictechnology.net/sites/www.publictechnology.net/themes/pubtech_override/img/close-thin.svg) center no-repeat; background-size: 10px; vertical-align: middle; position: absolute; left: 10px; top: 10px; } #block-views-events-popup-block .views-field.views-field-nid .field-content{ display:none; }

jQuery(window).load(function() { if(jQuery('#event-popup-nid').length){ var eventId = jQuery('#event-popup-nid').text(); jQuery.cookie('eventPageId',eventId); var countCurrentValue = parseInt(jQuery.cookie('countCurrentName')) || 1; var combinedValueValue = eventId+'-'+countCurrentValue; var countCurrentValue = parseInt(jQuery.cookie('countCurrentName')) || 1; jQuery.cookie('combinedValueName',combinedValueValue); const result = combinedValueValue.split('-'); if( result[1] <= 3 ) { jQuery('section#block-views-events-popup-block').addClass('show'); countCurrentValue = parseInt(result[1]) + 1; jQuery.cookie('countCurrentName',countCurrentValue); combinedValueValue = eventId+'-'+countCurrentValue; jQuery.cookie('combinedValueName',combinedValueValue); } jQuery('.events-popup-close').click(function(){ jQuery('section#block-views-events-popup-block').removeClass('show'); }); } });

(function(e,t,o,n,p,r,i){e.visitorGlobalObjectAlias=n;e[e.visitorGlobalObjectAlias]=e[e.visitorGlobalObjectAlias]||function(){(e[e.visitorGlobalObjectAlias].q=e[e.visitorGlobalObjectAlias].q||[]).push(arguments)};e[e.visitorGlobalObjectAlias].l=(new Date).getTime();r=t.createElement("script");r.src=o;r.async=true;i=t.getElementsByTagName("script")[0];i.parentNode.insertBefore(r,i)})(window,document,"https://diffuser-cdn.app-us1.com/diffuser/diffuser.js","vgo"); vgo('setAccount', '253344499'); vgo('setTrackByDefault', true); vgo('process');
Close
Sign up for our free daily newsletter
Register here
6472
Dods PublicTechnology.net is a Merit Group plc title

Quick Links

  • Home
  • News
  • Opinion
  • Features
  • Private Sector Insight
  • Cyber Week
  • White Papers
  • Events
  • On Demand Webinars
  • Partner Directory
  • About
  • Contact

Services

Dods People Dods Political Intelligence Dods ResearchDods EventsDods Training

Media & Publishing

PoliticsHome Parliament MagazineHolyroodThe House MagazineCivil Service WorldTraining Journal

About Dods

Dods Group Part of Merit Group Privacy Policy Terms & Conditions Advertising Sponsorship
Privacy PolicyTerms & ConditionsAdvertisingSponsorship Subscriptions
  • Registered office: 11th Floor
  • The Shard
  • 32 London Bridge Street
  • London SE1 9SG
  • Company number: 04267888
  • © Merit Group plc 2021

Source URL: https://www.publictechnology.net/articles/news/ministry-justice-sets-minimum-security-standards-aws

Links
[1] https://mojdigital.blog.gov.uk/2019/06/14/security-baseline-in-the-public-cloud/
[2] https://www.publictechnology.net/articles/features/which-government-department-suffers-most-data-breaches
[3] https://www.publictechnology.net/articles/news/report-reveals-massive-spike-home-office-data-breach-reporting-following-gdpr
[4] https://www.publictechnology.net/articles/news/government-commits-%C2%A3500m-defence-innovation-scheme
[5] https://www.publictechnology.net/tags/cloud
[6] https://www.publictechnology.net/tags/cybersecurity
[7] https://www.publictechnology.net/tags/policy
[8] https://www.publictechnology.net/categories/business-and-industry
[9] https://www.publictechnology.net/categories/defence-and-security