DEV Community

Srinivasa Raju Addepalli for AWS Community Builders

Posted on • Updated on

Security best practices of Amazon S3


Security best practices of Amazon S3

Amazon S3

Amazon S3 is an object storage service. It enables us to store virtually unlimited amounts of data. Data files are stored as objects.

We place objects in a bucket. Every S3 bucket name must be globally unique across Regions (unique across all AWS customer accounts).

The objects we store can vary in size from 0 bytes to 5 TB. Though individual objects cannot be larger than 5 TB, we can store as much total data as we need.

Object values are immutable, which means that after we upload an object, we cannot modify the value. If we want to modify the object, we must make a change outside of Amazon S3 and then re-upload the object.

Objects also include metadata, which is a set of name-value pairs we can use to store information about the object. we can assign metadata, which is referred to as user-defined metadata, to our objects in Amazon S3. Amazon S3 also assigns system-metadata to these objects, which it uses for managing objects.

Security of Amazon S3 - Introduction

Security is a shared responsibility between AWS and customers. AWS is responsible for the “security of the cloud,” and customers are responsible for “security in the cloud”

Security of the cloud

AWS is responsible for protecting the infrastructure that runs Amazon Simple Storage Service (Amazon S3). The effectiveness of the security is regularly tested and verified by third-party auditors as part of the AWS compliance programs.

Security in the cloud

Our responsibility is managing access to our data (by using tools to apply the appropriate permissions and access levels). We are also responsible for your organization’s requirements, and applicable laws and regulations.

Key security best practices of Amazon S3

• Access control

• Data protection

• Monitor and audit security settings

Amazon S3 offers access policy options broadly categorized as resource based policies and user policies. Access policies we attach to our resources (buckets and objects) are referred to as resource-based policies.

When granting permissions, we have to decide who is getting them, which Amazon S3 resources they are getting permissions for, and specific actions we want to allow on those resources.

By default, all Amazon S3 resources (buckets, objects, and related sub resources (lifecycle configuration and website configuration) are private.

Access Control best practices:

• Implement a “Least Privilege” access model to limit access to S3 resources by using a combination of Identity and Access Management (IAM) policies, bucket policies and S3 Access Points

• Ensure that our S3 buckets are not publicly accessible

• Limit access to specific Virtual Private Clouds (VPCs) or known IP address ranges with bucket policies, and access point policies

• Use IAM roles for applications and AWS services that require Amazon S3 access

• Consider Amazon S3 presigned URLs or Amazon CloudFront signed URLs to provide limited-time access to Amazon S3 for specific applications

• Use Amazon S3 VPC Endpoints and Service Control Policies

• Use Access Analyzer for S3 to monitor and control access to our data

Data protection best practices for S3

• Encrypt all Amazon S3 data at rest using Server-side Encryption (SSE) or client-side encryption

• Enforce encryption-in-transit for access to Amazon S3

• Enable object versioning

• Enable Multi-factor Authentication (MFA) Delete and S3 Object Lock when appropriate

• Consider S3 Replication to different AWS accounts to protect our data and remain compliant

• Use tools including Amazon Macie, Amazon GuardDuty for S3, and Amazon S3 Inventory to protect your sensitive data Monitor

Monitor and audit security settings for S3

• Audit Amazon S3 API actions using AWS CloudTrail

• Monitor data access from Amazon S3 with access logging

Other S3 best practices

Encryption of data at rest

We can use Server-Side Encryption and Client-Side Encryption for protecting data at rest in Amazon S3

Server-Side Encryption – Request Amazon S3 to encrypt our object before saving it on disks in its data centers and then decrypt it when you download the objects. Server-side encryption can help reduce risk to our data by encrypting the data with a key that is stored in a different mechanism than the mechanism that stores the data itself.

Amazon S3 provides these server-side encryption options:

  • Server-side encryption with Amazon S3‐managed keys (SSE-S3).
  • Server-side encryption with KMS key stored in AWS Key Management Service (SSE-KMS).
  • Server-side encryption with customer-provided keys (SSE-C).

Client-Side Encryption – Encrypt data client-side and upload the encrypted data to Amazon S3

We have to manage the encryption process, the encryption keys, and related tools. As with server-side encryption, client-side encryption can help reduce risk by encrypting the data with a key that is stored in a different mechanism than the mechanism that stores the data itself.

Enforce encryption of data in transit

We can use HTTPS (TLS) to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. You should allow only encrypted connections over HTTPS (TLS) using the condition aws:SecureTransport on Amazon S3 bucket policies.

Hope you have got some basic idea about Security best practices of S3.

Happy Learning 📚

Thank you!

Social Footprints:

Top comments (0)