AWS S3 Security
- AWS S3 Security is a shared responsibility between AWS and the Customer
- S3 is a fully managed service that is protected by the AWS global network security procedures
- AWS handles basic security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery.
- Security and compliance of S3 are assessed by third-party auditors as part of multiple AWS compliance programs including SOC, PCI DSS, HIPAA, etc.
- S3 provides several other features to handle security, which are the customers’ responsibility.
- S3 Encryption supports both data at rest and data in transit encryption.
- Data in transit encryption can be provided by enabling communication via SSL or using client-side encryption
- Data at rest encryption can be provided using Server Side or Client Side encryption
- S3 permissions can be handled using
- IAM User Policies
- Resource-based policies which include Bucket policies, Bucket ACL, and Object ACL
- S3 Access Points
- S3 Object Lock helps to store objects using a WORM model and can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
- S3 Access Points simplify data access for any AWS service or customer application that stores data in S3.
- S3 Versioning with MFA Delete can be enabled on a bucket to ensure that data in the bucket cannot be accidentally overwritten or deleted.
- S3 Access Analyzer monitors the access policies, ensuring that the policies provide only the intended access to your S3 resources.
S3 Encryption
- S3 allows the protection of data in transit by enabling communication via SSL or using client-side encryption
- S3 provides data-at-rest encryption using
- Server-Side Encryption: S3 handles the encryption
- Client Side Encryption: Customer handles the encryption
- CSE-CMK
- Customer handles the encryption and decryption using keys managed through AWS KMS.
- Client-side Master Key
- Customer handles the encryption and decryption using keys managed by them.
- CSE-CMK
S3 Permissions
Refer blog post @ S3 Permissions
S3 Object Lock
Refer blog post @ S3 Object Lock
S3 Access Points
- S3 access points simplify data access for any AWS service or customer application that stores data in S3.
- Access points are named network endpoints that are attached to buckets and can be used to perform S3 object operations, such as
GetObject
andPutObject
. - Each access point has distinct permissions and network controls that S3 applies for any request that is made through that access point.
- Each access point enforces a customized access point policy that works in conjunction with the bucket policy, attached to the underlying bucket.
- An access point can be configured to accept requests only from a VPC to restrict S3 data access to a private network.
- Custom block public access settings can be configured for each access point.
S3 VPC Gateway Endpoint
- A VPC endpoint enables connections between a VPC and supported services, without requiring that you use an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
- VPC is not exposed to the public internet.
- A Gateway Endpoint is a gateway that is a target for a route in your route table used for traffic destined to either S3.
S3 Access Analyzer
- S3 Access Analyzer monitors the access policies, ensuring that the policies provide only the intended access to your S3 resources.
- S3 Access Analyzer evaluates the bucket access policies and enables you to discover and swiftly remediate buckets with potentially unintended access.
S3 Security Best Practices
S3 Preventative Security Best Practices
- Ensure S3 buckets use the correct policies and are not publicly accessible
- Use S3 block public access
- Identify Bucket policies and ACLs that allow public access
- Use AWS Trusted Advisor to inspect the S3 implementation.
- Implement least privilege access
- Use IAM roles for applications and AWS services that require S3 access
- Enable Multi-factor authentication (MFA) Delete to help prevent accidental bucket deletions
- Consider Data at Rest Encryption
- Enforce Data in Transit Encryption
- Consider S3 Object Lock to store objects using a “Write Once Read Many” (WORM) model.
- Enable versioning to easily recover from both unintended user actions and application failures.
- Consider S3 Cross-Region replication
- Consider VPC endpoints for S3 access to provide private S3 connectivity and help prevent traffic from potentially traversing the open internet.
S3 Monitoring and Auditing Best Practices
- Identify and Audit all S3 buckets to have visibility of all the S3 resources to assess their security posture and take action on potential areas of weakness.
- Implement monitoring using AWS monitoring tools
- Enable S3 server access logging, which provides detailed records of the requests that are made to a bucket useful for security and access audits
- Use AWS CloudTrail, which provides a record of actions taken by a user, a role, or an AWS service in S3.
- Enable AWS Config, which enables you to assess, audit, and evaluate the configurations of the AWS resources
- Consider using Amazon Macie with S3 to automatically discover, classify, and protect sensitive data in AWS.
- Monitor AWS security advisories to regularly check security advisories posted in Trusted Advisor for the AWS account.
AWS Certification Exam Practice Questions
- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
- Open to further feedback, discussion and correction.