Learning how to keep your Amazon S3 buckets safe and finding weak spots in bucket policies is an important part of managing AWS resources and acing the AWS Certified Security Specialty exam.
Not only will it help you prevent a costly S3 data leak, but you should also anticipate exam questions that will ask you to look at IAM and bucket policies to fix issues or implement solutions following best practices.
You’re tasked with locking down access to a ‘sensitive-app-data’ bucket so that only these principals have access:
👩💼 Administrators: admin (role), ci (user) – to administer the bucket
📱 Application: app (role) – read & write data to/from bucket
🛠️ Support: cust-service (role) – to read data
Here’s how you should go about granting least privilege permissions to this bucket (in order):
1️⃣ Deny access to the bucket and its objects to everyone who is not one of the intended principals
2️⃣ Grant the administrators privileges to administer the bucket
3️⃣ Allow the application and customer support roles to read data from the bucket
4️⃣ Allow the application to write data into the bucket
5️⃣ Add any other policy enforcements, like requiring encryption in transit and at rest
💡 Pro tips:
✅ Organize your statements by capabilities granted to principals so you can track who has those capabilities over time
(I didn’t use to do this and my statements were an absolute mess before I heard this advice)
✅ For you to only grant access to intended principals and resources, two things should be included in your security policies:
➡️ Identity policies attached to principals should scope resource access to implement the least privilege for the principal
➡️ Resource policies should allow intended principals and explicit deny everyone else to implement the least privilege for the resources
Learn AWS IAM best practices and get certified with Cybr’s training
Already have a Cybr Membership? Access our AWS training here.
Looking to upskill or reskill your team in AWS security? Get a demo of our hands-on training.
Looking for individual training? View our pricing here.