S3 Security Strategy

Ensure S3 public access is not allowed by enabling the S3 Block Public Access feature. This can be enabled on the account-level or bucket-level. This setting will override any bucket or object ACLs that might expose data in S3 buckets to the public.

If this AWS account is part of an AWS Organization, use a Service Control Policy (SCP) to prevent users in the account from modifying this setting. 

Enable S3 Bucket Default Encryption to enforce encryption on all objects stored in an S3 bucket. Default encryption can be configured to use server-side encryption with either Amazon S3-managed keys (SSE-S3) or customer master keys (CMKs) stored in AWS Key Management Service (AWS KMS).

S3 Buckets default to TLS encrypted communication, but the S3 API also supports HTTP connections. It is best practice to use S3 bucket policies to ensure clear-text communication is denied.

Access to S3 buckets is controlled through a combination of identity-based policies (IAM Policies applied to IAM principals such as users or roles), and resource-based policies (S3 Bucket Policies applied on the S3 buckets). Use S3 bucket policies to ensure only authorized principles are allowed to access the bucket and data:

Enable IAM Access Analyzer for continuous monitoring of access policies of S3 Buckets to ensure that no external access to the public or other AWS accounts is enabled.

Use VPC Endpoints to provide private access from VPCs to S3 Buckets directly without having to provide Internet access to the VPC. VPC Endpoints also provide an additional access control mechanism through Endpoint Policies which allow further control on what S3 buckets and actions are allowed through the VPC. 

S3 bucket policies can also be used to restrict access to S3 buckets to specific VPCs or VPC Endpoints only. 

S3 Buckets don't provide logging for object-level activity (data-plane logs) such as viewing or downloading files on an S3 bucket. AWS provides two methods for enabling access logging on S3: 

• Server Access Logs: Configured on the S3 bucket. Logs are stored in a target S3 bucket (can be the same bucket) in the same AWS account. This logging method is free.
• CloudTrail Data Events: Data events can be configured to capture object-level events on an S3 bucket, multiple S3 buckets or all S3 buckets in an AWS account. Logs can be stored in S3 or forwarded to CloudWatch Logs. CloudTrail pricing applies.

In addition to enabling access logs for S3 buckets, it is important to set up a comprehensive monitoring and compliance strategy by configuring the relevant AWS services and setting up alarms and notifications for critical events:

• Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior in an AWS Account including S3 data event protection by monitoring for suspicious activity in S3 access logs
• AWS CloudTrail logs all API activity in the account including the creation/modification/deletion of S3 buckets or policies
• AWS Config tracks configuration changes in an environment and provides a historical view of S3 Buckets throughout their lifetime
• AWS Config Rules allows the configuration of compliance rules to ensure resources in the environment are configured properly and securely
• CloudWatch Alarms can be used to alert based on CloudTrail activity to alert on important S3 related events.

Use the following packages to enable the required logging services, as well as compliance and monitoring rules for S3:

Amazon S3 provides several features to protect data against accidental or malicious deletion or corruption:

• Cross-Region or Same-Region Replication: Enables automatic, asynchronous copying of objects in S3 buckets. The target buckets can be in the same AWS account or a different account. 
• Object Versioning: Enable versioning on the S3 bucket to keep multiple versions of each object on the S3 bucket.
• MFA Delete: If enabled on an S3 bucket, only the bucket owner (with MFA authentication) can delete objects or change the versioning state of the bucket. 
• Object Lock: Enable object lock to prevent an object from being deleted for a fixed amount of time or indefinitely. 

A data classification strategy is required to prevent data loss in an environment. Amazon Macie (as well as 3rd-party partner tools) help with automatically discovering, classifying, and monitoring data on S3 buckets.