Amazon S3 Security Controls [Cheat Sheet]
Are you keeping your data stored in AWS safe? Amazon S3 has multiple controls you can use to protect your data. Let’s take a look:
📀 Data access 📀
✅ S3 Block Public Access — a default deny model for an entire account that is enabled for new buckets, and that orgs can turn on to prohibit any S3 bucket from being made publicly accessible
✅ IAM policies — User, group, and role-based access control to storage buckets through IAM policies
✅ Bucket policies — Policies applied to a specific S3 bucket (this enables multiple layers of security for your data since you could have both a bucket policy and IAM policies. ie: if you allow access in a user policy but block access in a bucket policy, access will be denied)
✅ ACLs — Can grant basic read and write permissions to buckets and objects, to other AWS accounts. This is a legacy feature that should no longer be used unless required for a one-off use case
✅ Query string auth (aka Presigned URLs) — REST-based access key strings that can be passed to AWS for access control
✅ CORS — can be enabled and configured to allow certain web apps in different domains to access/interact with your resources using specific HTTP methods
✅ MFA delete — prevent changing Bucket Versioning settings and deleting object versions without MFA
🔒 Encryption 🔑
➡️ Server-side encryption — using SSE-S3, SSE-KMS, or DSSE-KMS (for 2 separate layers of encryption). Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in S3. All new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance.
➡️ Client-side encryption — This part happens outside of S3. You encrypt your data client-side and upload the encrypted data to S3. You manage the encryption process, encryption keys, and related tools.
🗂️ Object protection 🛡️
✅ Object versioning — keeps multiple versions of an object to track changes and recover from unintended or malicious user actions. Also makes it possible to turn on Object Lock
✅ S3 Object Lock — turns an S3 bucket into a write-once-read-many (WORM) model. This is useful for legal retention and evidence in chain-of-custody cases, for example.
🔎 Logging, Monitoring, Analysis 🕵️♀️
➡️ AWS CloudTrail data events — enables CloudTrail data events to log S3 object-level API operations in the CloudTrail console
➡️ Server access logs — provides a detailed record of all requests made to an S3 bucket to a separate bucket for collection and analysis. (Tip: CloudTrail logs provide a detailed view of API activity for S3 bucket-level and object-level operations; Server access logs provide visibility into object-level operations on your data stored in S3)
➡️ Pair with Amazon Macie — for monitoring and reporting on sensitive data and access
💡 Follow me on LinkedIn for weekly AWS security content and cheat sheets!
Responses