AWS S3 Security
- AWS S3 Security is a shared responsibility between AWS and the Customer
- As a managed service, S3 is protected by the AWS global network security procedures
- AWS handles basic security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery.
- Security and compliance of S3 is assessed by third-party auditors as part of multiple AWS compliance programs including SOC, PCI DSS, HIPAA, etc.
- AWS S3 provides several other features to handle security, which are customers’ responsibility.
S3 Data Protection
Refer blog post @ S3 Data Protection
Refer blog post @ S3 Encryption
Refer blog post @ S3 Permissions
S3 Object Lock
- S3 Object Lock helps to store objects using a write-once-read-many (WORM) model.
- S3 Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
- S3 Object Lock can help meet regulatory requirements that require WORM storage or add an extra layer of protection against object changes and deletion.
- Object Lock for new buckets can be enabled only for new buckets. For an existing bucket, contact AWS Support.
- Enabling Object Lock automatically enables versioning for the bucket.
- Once Object Lock is enabled, you can’t disable Object Lock or suspend versioning for the bucket.
- S3 Object Lock provides two retention modes that apply different levels of protection to the objects
- Governance mode
- Users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions.
- Objects against can be protected from being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary.
- Can be used to test retention-period settings before creating a compliance-mode retention period.
- Compliance mode
- A protected object version can’t be overwritten or deleted by any user, including the root user in your AWS account.
- When an object is locked in compliance mode, its retention mode can’t be changed, and its retention period can’t be shortened.
- Compliance mode helps ensure that an object version can’t be overwritten or deleted for the duration of the retention period.
- Governance mode
S3 VPC Gateway Endpoint
- A VPC endpoint enables connections between a VPC and supported services, without requiring that you use an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
- VPC is not exposed to the public internet.
- A Gateway Endpoint is a gateway that is a target for a route in your route table used for traffic destined to either S3.
S3 Security Best Practices
S3 Preventative Security Best Practices
- Ensure S3 buckets use the correct policies and are not publicly accessible
- Use S3 block public access
- Identify Bucket policies and ACLs that allow public access
- Use AWS Trusted Advisor to inspect the S3 implementation.
- Implement least privilege access
- Use IAM roles for applications and AWS services that require S3 access
- Enable Multi-factor authentication (MFA) Delete to help prevent accidental bucket deletions
- Consider Data at Rest Encryption
- Enforce Data in Transit Encryption
- Consider S3 Object Lock to store objects using a “Write Once Read Many” (WORM) model.
- Enable versioning to easily recover from both unintended user actions and application failures.
- Consider S3 Cross-Region replication
- Consider VPC endpoints for S3 access to provide private S3 connectivity and help prevent traffic from potentially traversing the open internet.
S3 Monitoring and Auditing Best Practices
- Identify and Audit all S3 buckets to have visibility of all the S3 resources to assess their security posture and take action on potential areas of weakness.
- Implement monitoring using AWS monitoring tools
- Enable S3 server access logging, which provides detailed records of the requests that are made to a bucket useful for security and access audits
- Use AWS CloudTrail, which provides a record of actions taken by a user, a role, or an AWS service in S3.
- Enable AWS Config, which enables you to assess, audit, and evaluate the configurations of the AWS resources
- Consider using Amazon Macie with S3 to automatically discover, classify, and protect sensitive data in AWS.
- Monitor AWS security advisories to regularly check security advisories posted in Trusted Advisor for the AWS account.
AWS Certification Exam Practice Questions
- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
- Open to further feedback, discussion and correction.