AWS S3 Security

• AWS S3 Security is a shared responsibility between AWS and the Customer
• S3 is a fully managed service that is protected by the AWS global network security procedures
• AWS handles basic security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery.
• Security and compliance of S3 are assessed by third-party auditors as part of multiple AWS compliance programs including SOC, PCI DSS, HIPAA, etc.
• S3 provides several other features to handle security, which are the customers’ responsibility.
• S3 Encryption supports both data at rest and data in transit encryption.
  • Data in transit encryption can be provided by enabling communication via SSL/TLS or using client-side encryption
  • Data at rest encryption can be provided using Server Side or Client Side encryption
  • All new objects are automatically encrypted with SSE-S3 by default (since January 2023)
  • SSE-C is disabled by default on all new general purpose buckets (since April 2026)
• S3 permissions can be handled using
  • IAM User Policies
  • Resource-based policies which include Bucket policies (ACLs are now disabled by default)
  • S3 Access Points
  • S3 Access Grants – scalable access control mapping corporate identities to S3 data
  • Attribute-Based Access Control (ABAC) – tag-based authorization for S3 buckets (Nov 2025)
• S3 Object Lock helps to store objects using a WORM model and can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
• S3 Access Points simplify data access for any AWS service or customer application that stores data in S3.
• S3 Versioning with MFA Delete can be enabled on a bucket to ensure that data in the bucket cannot be accidentally overwritten or deleted.
• S3 Block Public Access provides controls across an entire AWS Account or at the individual S3 bucket level to ensure that objects never have public access, now and in the future.
• S3 Access Analyzer monitors the access policies, ensuring that the policies provide only the intended access to your S3 resources.
• S3 Object Ownership – by default set to Bucket owner enforced, disabling ACLs on all new buckets.
• Resource Control Policies (RCPs) – centrally restrict external access to S3 resources across an organization (Nov 2024).

S3 Encryption

• S3 allows the protection of data in transit by enabling communication via SSL/TLS or using client-side encryption
• All new objects uploaded to S3 are automatically encrypted at rest with SSE-S3 by default (since January 5, 2023). This applies to all buckets at no additional cost.
• SSE-C (Server-Side Encryption with Customer-Provided Keys) is disabled by default on all new general purpose buckets since April 2026. Applications that need SSE-C must explicitly enable it using the PutBucketEncryption API after bucket creation.
• S3 provides data-at-rest encryption using
  • Server-Side Encryption: S3 handles the encryption
    • SSE-S3
      • S3 handles the encryption and decryption using S3 managed keys
      • This is now the base level of encryption for every bucket in S3 (default)
    • SSE-KMS
      • S3 handles the encryption and decryption using keys managed through AWS KMS.
      • Provides additional audit trail via AWS CloudTrail for key usage
    • DSSE-KMS (Dual-Layer Server-Side Encryption)
      • Applies two layers of encryption using AWS KMS keys
      • Even if one encryption layer were compromised, data remains protected by the second layer
      • Designed for highly regulated workloads requiring CNSSP 15 compliance
      • Higher cost due to increased processing overhead and additional KMS API calls
    • SSE-C
      • S3 handles the encryption and decryption using keys managed and provided by the Customer.
      • Disabled by default on new buckets since April 2026 — must be explicitly enabled via PutBucketEncryption API
      • Most modern use cases prefer SSE-S3 or SSE-KMS for greater flexibility
  • Client Side Encryption: Customer handles the encryption
    • CSE-KMS
      • Customer handles the encryption and decryption using keys managed through AWS KMS.
    • Client-side Master Key
      • Customer handles the encryption and decryption using keys managed by them.

S3 Permissions

Refer blog post @ S3 Permissions

S3 Object Ownership

• S3 Object Ownership is a bucket-level setting to control ownership of objects uploaded to a bucket and to disable or enable ACLs.
• By default, Object Ownership is set to Bucket owner enforced, and all ACLs are disabled.
• When ACLs are disabled, the bucket owner owns all the objects in the bucket and manages access exclusively using access-management policies.
• A majority of modern use cases in S3 no longer require the use of ACLs.
• Object Ownership has three settings:
  • Bucket owner enforced (default) – ACLs are disabled. The bucket owner automatically owns and has full control over every object. Policies define access control.
  • Bucket owner preferred – The bucket owner owns new objects written by other accounts if uploaded with the bucket-owner-full-control canned ACL.
  • Object writer – The uploading account owns the object. ACLs are enabled.
• With ACLs disabled, you can use policies to control access to all objects in your bucket, regardless of who uploaded them.

S3 Object Lock

• S3 Object Lock helps to store objects using a write-once-read-many (WORM) model.
• can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
• can help meet regulatory requirements that require WORM storage or add an extra layer of protection against object changes and deletion.
• can be enabled only for new buckets and works only in versioned buckets.
• provides two retention modes that apply different levels of protection to the objects
  • Governance mode
    • Users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions.
    • Objects can be protected from being deleted by most users, but some users can be granted permission to alter the retention settings or delete the object if necessary.
    • Can be used to test retention-period settings before creating a compliance-mode retention period.
  • Compliance mode
    • A protected object version can’t be overwritten or deleted by any user, including the root user in the AWS account.
    • Object retention mode can’t be changed, and its retention period can’t be shortened.
    • Object versions can’t be overwritten or deleted for the duration of the retention period.
• Legal Hold
  • Provides the same protection as a retention period, but has no expiration date.
  • Remains in place until explicitly removed.
  • Can be applied to any object in an Object Lock-enabled bucket, whether or not that object has a retention period.
  • Requires the s3:PutObjectLegalHold permission to add or remove.

S3 Access Points

• S3 access points simplify data access for any AWS service or customer application that stores data in S3.
• Access points are named network endpoints that are attached to buckets and can be used to perform S3 object operations, such as GetObject and PutObject.
• Each access point has distinct permissions and network controls that S3 applies for any request that is made through that access point.
• Each access point enforces a customized access point policy that works in conjunction with the bucket policy, attached to the underlying bucket.
• An access point can be configured to accept requests only from a VPC to restrict S3 data access to a private network.
• Custom block public access settings can be configured for each access point.
• S3 Access Points now support tags for ABAC (Aug 2025), enabling tag-based permissions for access points.
• S3 Multi-Region Access Points provide a global endpoint for applications to fulfill requests from S3 buckets in multiple AWS Regions.
  • Uses AWS Global Accelerator for intelligent routing to the nearest bucket
  • Supports failover controls for active-passive or active-active configurations
  • Does not support anonymous requests

S3 Access Grants

• S3 Access Grants is a scalable access control solution that maps identities to S3 data permissions.
• Acts as a credential vendor — users request credentials from S3 Access Grants, which evaluates grants and vends temporary, least-privilege access credentials.
• Supports mapping identities from corporate directories such as Microsoft Entra ID (formerly Azure AD), Okta, and other IdPs via AWS IAM Identity Center.
• Supports up to 100,000 grants per Region per account.
• Ideal for complex access control requirements:
  • Bucket policy size limit (20 KB) exceeded
  • Human identities from external IdPs need S3 access for analytics and big data
  • Cross-account access without frequent IAM policy updates
  • Object-level access control for unstructured data
• Integrates with AWS machine learning and analytics services including Amazon SageMaker, Amazon Redshift, and AWS Glue.
• Simplifies authentication when using both IAM and Identity Provider permissions (March 2025).

S3 Attribute-Based Access Control (ABAC)

• Launched November 2025 – Tag-based authorization for S3 general purpose buckets.
• Enables automatically managing permissions for users and roles by controlling data access through tags on S3 buckets.
• Instead of managing permissions individually, use tag-based IAM or bucket policies to grant or deny access based on matching tags between principals and buckets.
• Makes it easy to grant S3 access based on project, team, cost center, data classification, or other bucket attributes instead of bucket names.
• ABAC must be explicitly enabled on each S3 bucket using the PutBucketAbac API.
• Tag-based condition keys work in AWS Organizations policies, IAM policies, and S3 bucket policies.
• Can enforce tagging requirements at bucket creation using SCPs or IAM policies with aws:TagKeys and aws:RequestTag condition keys.
• Same tags can serve dual purpose: access control (ABAC) and cost allocation.
• Available through Console, API, SDKs, CLI, and CloudFormation at no additional cost.
• Also supported on S3 directory buckets, S3 access points, and S3 tables buckets.

S3 VPC Gateway Endpoint

• A VPC endpoint enables connections between a VPC and supported services, without requiring that you use an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
• VPC is not exposed to the public internet.
• A Gateway Endpoint is a gateway that is a target for a route in your route table used for traffic destined to either S3.

S3 Block Public Access

• S3 Block Public Access provides controls across an entire AWS Account or at the individual S3 bucket level to ensure that objects never have public access, now and in the future.
• S3 Block Public Access provides settings for access points, buckets, and accounts to help manage public access to S3 resources.
• By default, new buckets, access points, and objects don’t allow public access. However, users can modify bucket policies, access point policies, or object permissions to allow public access.
• S3 Block Public Access settings override these policies and permissions so that public access to these resources can be limited.
• S3 Block Public Access allows account administrators and bucket owners to easily set up centralized controls to limit public access to their S3 resources that are enforced regardless of how the resources are created.
• S3 doesn’t support block public access settings on a per-object basis.
• S3 Block Public Access settings when applied to an account apply to all AWS Regions globally.

Resource Control Policies (RCPs)

• Launched November 2024 – A new type of authorization policy in AWS Organizations for centrally restricting access to AWS resources.
• RCPs work alongside Service Control Policies (SCPs) to establish permissions guardrails across multiple accounts in an organization.
• Can enforce that S3 buckets in your accounts are only accessible by principals belonging to your organization.
• Resource-based — they restrict what actions can be taken on resources regardless of the identity-based permissions granted.
• Do not grant access — they only set the maximum available permissions on resources.
• Key S3 use case: Restrict access to S3 buckets so no principal outside the organization can access them, regardless of individual S3 bucket policies.
• Available in AWS GovCloud (US) Regions since May 2025.
• Supported by AWS Control Tower with configurable managed controls.

S3 Access Analyzer

• S3 Access Analyzer (part of IAM Access Analyzer) monitors the access policies, ensuring that the policies provide only the intended access to your S3 resources.
• Evaluates bucket access policies and enables you to discover and swiftly remediate buckets with potentially unintended access.
• External Access Findings — identifies resources accessible by principals outside your account or organization.
• Internal Access Findings (June 2025) — identifies who within your AWS organization has access to critical resources including S3 buckets.
  • Monitors selected resources daily and surfaces findings in a unified dashboard
  • Combines internal and external access findings for a 360-degree view
• Unused Access Analysis — identifies unused roles, access keys, and permissions to help achieve least privilege.
• Custom Policy Checks — validate policies before deployment, including:
  • Check No Public Access (Jul 2024)
  • Check Access Not Granted
  • Guided revocation for unused access (Jun 2024)
• Can be integrated into CI/CD pipelines for automated policy reviews.

S3 Security Best Practices

S3 Preventative Security Best Practices

• Ensure S3 buckets use the correct policies and are not publicly accessible
  • Use S3 block public access
  • Keep ACLs disabled (Bucket owner enforced) unless specifically needed
  • Use AWS Trusted Advisor to inspect the S3 implementation.
  • Use Resource Control Policies (RCPs) to restrict access to organization principals only
• Implement least privilege access
  • Use S3 Access Grants for complex identity-based access at scale
  • Use ABAC for tag-based authorization to simplify policy management
  • Use IAM Access Analyzer to identify and remediate overly permissive policies
• Use IAM roles for applications and AWS services that require S3 access
• Enable Multi-factor authentication (MFA) Delete to help prevent accidental bucket deletions
• Consider Data at Rest Encryption
  • SSE-S3 is now applied by default to all new objects
  • Use SSE-KMS for additional audit trails and key management
  • Use DSSE-KMS for compliance requiring two independent layers of encryption
• Enforce Data in Transit Encryption
• Consider S3 Object Lock to store objects using a “Write Once Read Many” (WORM) model.
• Enable versioning to easily recover from both unintended user actions and application failures.
• Consider S3 Cross-Region replication
• Consider VPC endpoints for S3 access to provide private S3 connectivity and help prevent traffic from potentially traversing the open internet.
• Secure presigned URLs with short expiration times, IP restrictions, and scoped IAM permissions.

S3 Monitoring and Auditing Best Practices

• Identify and Audit all S3 buckets to have visibility of all the S3 resources to assess their security posture and take action on potential areas of weakness.
• Implement monitoring using AWS monitoring tools
• Enable S3 server access logging, which provides detailed records of the requests that are made to a bucket useful for security and access audits
• Use AWS CloudTrail, which provides a record of actions taken by a user, a role, or an AWS service in S3.
• Enable AWS Config, which enables you to assess, audit, and evaluate the configurations of the AWS resources
• Use Amazon Macie with S3 to automatically discover, classify, and protect sensitive data in AWS.
  • Automated sensitive data discovery continuously samples and analyzes objects
  • Provides sensitivity scores for each bucket
  • Builds interactive data maps showing sensitive data distribution across accounts
• Use IAM Access Analyzer to monitor both external and internal access to S3 resources
• Monitor AWS security advisories to regularly check security advisories posted in Trusted Advisor for the AWS account.

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. A company needs to ensure all objects stored in their S3 buckets are encrypted with a dual-layer encryption mechanism for CNSSP 15 compliance. Which encryption option should they use?
   1. SSE-S3
   2. SSE-KMS
   3. DSSE-KMS
   4. SSE-C

   Answer: c. DSSE-KMS — Dual-Layer Server-Side Encryption with AWS KMS keys provides two independent layers of encryption for compliance requirements like CNSSP 15.

2. An organization wants to grant access to S3 buckets based on team membership from their Microsoft Entra ID directory, supporting up to 50,000 data scientists. Which S3 feature is most appropriate?
   1. S3 Bucket Policies
   2. S3 Access Points
   3. S3 Access Grants
   4. S3 ACLs

   Answer: c. S3 Access Grants — Maps corporate directory identities to S3 data permissions at scale (up to 100,000 grants per Region), ideal for large organizations with external IdPs.

3. A security engineer needs to ensure that no S3 buckets in any account of the organization can be accessed by principals outside the organization, regardless of individual bucket policies. Which feature should they implement?
   1. S3 Block Public Access
   2. Service Control Policies (SCPs)
   3. Resource Control Policies (RCPs)
   4. S3 Bucket Policies with Deny statements

   Answer: c. Resource Control Policies (RCPs) — RCPs centrally restrict external access to AWS resources across an organization, enforcing that S3 buckets are accessible only by principals belonging to the organization.
4. An administrator wants to simplify S3 bucket access management by automatically granting access based on environment tags (dev, staging, prod) rather than maintaining individual bucket ARNs in policies. What feature should they use?
   1. S3 Access Grants
   2. S3 ABAC (Attribute-Based Access Control)
   3. S3 Access Points
   4. AWS Organizations SCPs

   Answer: b. S3 ABAC — Enables tag-based authorization for S3 buckets, allowing access decisions based on matching tags between principals and buckets rather than individual bucket names.

5. A company creates a new S3 bucket and attempts to upload objects using SSE-C encryption but receives an AccessDenied error. What is the most likely cause? (Choose the best answer)
   1. The IAM user lacks encryption permissions
   2. SSE-C is disabled by default on new buckets since April 2026
   3. The bucket policy blocks encryption operations
   4. KMS key permissions are missing

   Answer: b. — Since April 2026, SSE-C is disabled by default on all new general purpose buckets. Applications must explicitly enable SSE-C via the PutBucketEncryption API.

6. Which IAM Access Analyzer feature, launched in June 2025, helps security teams identify who within their AWS organization has access to critical resources like S3 buckets?
   1. External Access Findings
   2. Internal Access Findings
   3. Unused Access Analysis
   4. Custom Policy Checks

   Answer: b. Internal Access Findings — Monitors resources daily and provides a unified dashboard combining internal and external access findings for a 360-degree view.

References

• AWS S3 Security Documentation
• S3 Security Best Practices
• DSSE-KMS Documentation
• S3 Access Grants
• ABAC for S3 Buckets
• Resource Control Policies (RCPs)
• SSE-C Default Setting FAQ
• S3 Object Ownership