Skip to main content
  • EN

Most S3 offerings allow to leverage customer provided keys to encrypt data uploaded there (SSE-C).

By calling the x-amz-server-side-encryption-customer-algorithm an encryption process inside your buckets can be initiated. Though also AES-256 will be used as the encryption standard, mind that this is not the same encrytion process that we should always have in place when targeting an S3 bucket from your backups. Encryption with VBR is already done on the job level.

An attacker could thus encrypt your backup data another time - with a key he defines.

Problem is: this “customer provided key” is only processed during encryption, but not stored inside the S3 stack. Only an HMAC is stored - which is not sufficient for a decryption.

There already is a ransomware by the name of Codefinger which is leveraging that mechanism. An attacker with enough time can even circumvent immutability via object-lock by just waiting until everything in locked state is also already encrypted.

 

So, what can be taken out of that to mitigate the risks to our repos?

  • Don’t expose access keys and secrets for your buckets. Quite trivial, but very important.
  • Limit the access to the buckets used for your backups to only the public IPs of your S3 gateway servers (ACL). See example for Wasabi.
  • Restrict the usage of SSE-C. See example for AWS:
{
    "Version": "2024-10-17",
    "Id": "PutObjectPolicy",
    "Statement": e
        {
            "Sid": "RestrictSSECObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my-s3-demo-bucket/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption-customer-algorithm": "false"
                }
            }
        }
    ]
}

 

A feature request to Veeam would be to validate those settings or even be able to determine malicious activity inside your buckets.

For the time being: heads up!

Thank you ​@Michael Melter for sharing this great idea.

Does the Azure Storage Account also vulnerable with this type of attack as well?

Thanks for sharing!

 

Thank you ​@Michael Melter for sharing this great idea.

Does the Azure Storage Account also vulnerable with this type of attack as well?

Methods seem to be there: Data encryption models in Microsoft Azure | Microsoft Learn

But I haven’t checked in detail.

Some great examples of securing S3. Thanks for sharing Michael. 👍

A really critical point..thanks ​@Michael Melter for sharing!

@Michael Melter will the loss protection enable be an option to mitigate that? what do you think? 

@Michael Melter will the loss protection enable be an option to mitigate that? what do you think? 

I touched that in the article. For the most recent data: yes. But once someone gains this access, he could just wait until the object-lock times out and the encryption is complete for all the data. By these methods you can instruct the S3 stack to encrypt data by itself (and throw away the key afterwards)…

I’ll do some more investigation on our implementations and will follow up if I gain more insight.

@Michael Melter will the loss protection enable be an option to mitigate that? what do you think? 

I touched that in the article. For the most recent data: yes. But once someone gains this access, he could just wait until the object-lock times out and the encryption is complete for all the data. By these methods you can instruct the S3 stack to encrypt data by itself (and throw away the key afterwards)…

I’ll do some more investigation on our implementations and will follow up if I gain more insight.

Thank you MIchael.

Very interesting post ​@Michael Melter thanks !

Comment


Terms & Conditions