Create a least privilege S3 bucket policy [Cheat Sheet]

S3 Least Privileges blog post banner image

Learning how to keep your Amazon S3 buckets safe and finding weak spots in bucket policies is an important part of managing AWS resources and acing the AWS Certified Security Specialty exam.

Not only will it help you prevent a costly S3 data leak, but you should also anticipate exam questions that will ask you to look at IAM and bucket policies to fix issues or implement solutions following best practices.

So I asked an AWS IAM expert, Stephen Kuenzli from k9 Security, to give us best practices tips & tricks, and here’s the cheat sheet we came up with:

🗺️ Scenario:
You’re tasked with locking down access to a ‘sensitive-app-data’ bucket so that only these principals have access:
👩‍💼 Administrators: admin (role), ci (user) – to administer the bucket
📱 Application: app (role) – read & write data to/from bucket
🛠️ Support: cust-service (role) – to read data

Here’s how you should go about granting least privilege permissions to this bucket (in order):
1️⃣ Deny access to the bucket and its objects to everyone who is not one of the intended principals
2️⃣ Grant the administrators privileges to administer the bucket
3️⃣ Allow the application and customer support roles to read data from the bucket
4️⃣ Allow the application to write data into the bucket
5️⃣ Add any other policy enforcements, like requiring encryption in transit and at rest

💡 Pro tips:

✅ Organize your statements by capabilities granted to principals so you can track who has those capabilities over time
(I didn’t use to do this and my statements were an absolute mess before I heard this advice)

✅ For you to only grant access to intended principals and resources, two things should be included in your security policies:
➡️ Identity policies attached to principals should scope resource access to implement the least privilege for the principal
➡️ Resource policies should allow intended principals and explicit deny everyone else to implement the least privilege for the resources

Create a least privilege S3 bucket policy cheat sheet

Learn AWS IAM best practices and get certified with Cybr’s training

Already have a Cybr Membership? Access our AWS training here.

Looking to upskill or reskill your team in AWS security? Get a demo of our hands-on training.

Looking for individual training? View our pricing here.

Related Articles


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.