Trust on Cloud AWS S3 Threat Model

Trust on Cloud have open sourced their AWS S3 threat model, this release is a great tool to make sense of the “shared responsibility model” and what “responsibility” means for AWS customers.

S3 is one of the more interesting services from a threat modelling perspective for Trust on Cloud to release, and a great showcase of the Trust on Cloud threat model product.

It is a sobering reminder for everyone about the size of the responsibility that the customer carries and the depth of understanding required for each service.

My role requires me to review the Trust threat models before the controls are agreed and implemented within my environment, and from this experience I can say that the Trust on cloud threat models are this detailed for every service covered.

In summary shared responsibility is not magic, nor is it simple. Amazon expects it’s customers to review each service they use to get to a point of understanding to the level of this document. And that is for every service. Not to mention the creation and governance of these controls is also no small feat.

If you are storing sensitive information, the threat model is not something that can be done easily nor should it be approached casually, Trust on Cloud is a great solution to the problem.

They also offer Trust on Cloud Overwatch™ service which monitors each AWS service for changes and alerts you when a service change by AWS cause a change to the threat model.

• You can read the Trust on Cloud blog here

• You can download the AWS S3 Security Threat model here, check out the service map on page 3

Comments

comments powered by Disqus