Amazon S3 Security Controls [Cheat Sheet]

Amazon S3 security controls cheat sheet banner

Are you keeping your data stored in AWS safe? Amazon S3 has multiple controls you can use to protect your data. Let’s take a look:

πŸ“€ Data access πŸ“€
βœ… S3 Block Public Access β€” a default deny model for an entire account that is enabled for new buckets, and that orgs can turn on to prohibit any S3 bucket from being made publicly accessible
βœ… IAM policies β€” User, group, and role-based access control to storage buckets through IAM policies
βœ… Bucket policies β€” Policies applied to a specific S3 bucket (this enables multiple layers of security for your data since you could have both a bucket policy and IAM policies. ie: if you allow access in a user policy but block access in a bucket policy, access will be denied)
βœ… ACLs β€” Can grant basic read and write permissions to buckets and objects, to other AWS accounts. This is a legacy feature that should no longer be used unless required for a one-off use case
βœ… Query string auth (aka Presigned URLs) β€” REST-based access key strings that can be passed to AWS for access control
βœ… CORS β€” can be enabled and configured to allow certain web apps in different domains to access/interact with your resources using specific HTTP methods
βœ… MFA delete β€” prevent changing Bucket Versioning settings and deleting object versions without MFA

πŸ”’ Encryption πŸ”‘
➑️ Server-side encryption β€” using SSE-S3, SSE-KMS, or DSSE-KMS (for 2 separate layers of encryption). Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in S3. All new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance.
➑️ Client-side encryptionΒ β€” This part happens outside of S3. You encrypt your data client-side and upload the encrypted data to S3. You manage the encryption process, encryption keys, and related tools.

πŸ—‚οΈ Object protection πŸ›‘οΈ
βœ… Object versioning β€” keeps multiple versions of an object to track changes and recover from unintended or malicious user actions. Also makes it possible to turn on Object Lock
βœ… S3 Object Lock β€” turns an S3 bucket into a write-once-read-many (WORM) model. This is useful for legal retention and evidence in chain-of-custody cases, for example.

πŸ”Ž Logging, Monitoring, Analysis πŸ•΅οΈβ€β™€οΈ
➑️ AWS CloudTrail data events β€” enables CloudTrail data events to log S3 object-level API operations in the CloudTrail console
➑️ Server access logs β€” provides a detailed record of all requests made to an S3 bucket to a separate bucket for collection and analysis. (Tip: CloudTrail logs provide a detailed view of API activity for S3 bucket-level and object-level operations; Server access logs provide visibility into object-level operations on your data stored in S3)
➑️ Pair with Amazon Macie β€” for monitoring and reporting on sensitive data and access

πŸ’‘ Follow me on LinkedIn for weekly AWS security content and cheat sheets!

Amazon S3 Security Controls Cheat Sheet

Find more AWS security cheat sheets here

Learn AWS security best practices with our courses and πŸ§ͺ Hands-On Labs

Related Articles


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.