AWS API Power

All,

    I've been investigating AWS solutions as of late.  I made a startling discovery.  The AWS API is capable of reading information off of individual files within instances.  This raises an alarm in my head.  I'm starting my research, but I am open to other thoughts and ideas.  Many of the solutions run off of the AWS API.  Is there a way to limit the power of the API?  Any thoughts from security professionals about the risk of AWS taking information off of instances?  Any way to limit or remove the AWS API?  Thoughts are appreciated.

Thanks,

Awakenings
awakeningsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Phil PhillipsDevOps ArchitectCommented:
With Amazon's Identity and Access Management (IAM), you can limit who has access to what.

Amazon's Elastic Block Store (EBS) (used by EC2 for storage) also has the ability to encrypt volumes.  If you *really* want to go a step further, you can do OS/Application level encryption on top of that.

Though, that's the first I've heard of the API being able to read files off of an instance (at least for EC2).  Could you share where you found that information?
awakeningsAuthor Commented:
Phil,

    Thank you.  I was talking to a vendor who said they had DLP functionality with their product.  They look at files on a system then tie them back to individual types of data (PII, PCI, etc.).  They said they do this through API calls.  I am looking for more information on this.  If so, it means APIs have more access to the system, than I was aware.

Thanks,

Awakenings
Shalom CarmelCTOCommented:
Hello Awakenings,
Although your vendor mentions API calls, those are probably not API calls related to AWS instances.
API calls exist on OS level, drivers, as well as in the virtualization layer (like AWS), and even on application level.
In your specific case, I guess that there is an agent installed on servers that uses internal OS API to intercept disk writes, making the DLP work wherever the server runs.
Maybe the DLP connects to your S3 storage too, in which case there are AWS API calls to enable it on purpose.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

awakeningsAuthor Commented:
Shalomc,

   Thank you.  When I asked point blank how do you capture information for DLP like functions, their reply was through API's - not agents.  In fact, they specifically said they do not connect to individual instances except through API calls.  Maybe the sales guy didn't know what he was talking about?  Other thoughts?

Thanks,

Awakenings
Phil PhillipsDevOps ArchitectCommented:
Amazon EBS doesn't have a way through the AWS API to read individual files.  The service provides instances with block devices - and they can be formatted however the users want.

S3 storage is specifically used for the purpose of allowing users to read/write files through an API.  So if the vendor is purely using AWS API calls, then S3 storage is probably in the mix.  As shalomc alluded to, you have control over who can make S3 API calls (as well as what type of API call they can make).  S3 also supports encryption.

Still, anything in S3 storage means that the files aren't on the instances themselves.  I don't see of a way to pull files directly off of an EC2 instance using just the AWS API.
Shalom CarmelCTOCommented:
Can you disclose the DLP company?
It is not the first time I come across clueless or even rogue salesmen. Not that I am saying he is either type.

Tell the DLP guy that you need an installation/setup guide to check with your IT consultant, and you need to know which API calls to permit in AWS IAM.
awakeningsAuthor Commented:
Both,

   It is not a DLP company.  Their product just happens to have DLP in it (they could be not telling me the truth, but).  In this case Elastica.  It leaves me scratching my head.

Awakenings
Shalom CarmelCTOCommented:
They do mention the word API, so I guess that you are dealing with a clueless salesman (our product uses API, AWS uses API, therefore our product is AWS compatible....)

Tell the Elastica salesperson that you need an installation/setup guide to check with your IT consultant, and you need to know which API calls to permit in AWS IAM.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
awakeningsAuthor Commented:
Thank you.  Sorry about the slow response.
Shalom CarmelCTOCommented:
Hey awakenings,

Out of curiosity - how did this end?
awakeningsAuthor Commented:
Shalomc,

    It turns out it was a sales tactic they used.  I was talking about AWS, and they were talking about Box.  So they have no DLP for AWS.  I'm now researching API Gateways despite this small victory.  They just make sense.

Awakenings
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cloud Computing

From novice to tech pro — start learning today.