Resources for implementing a comprehensive S3 security strategy. Included are customizable configuration items and packages, as well as guides for encryption, access control, logging, monitoring and compliance, backup and resilience options and more.
Ensure S3 public access is not allowed by enabling the S3 Block Public Access feature. This can be enabled on the account-level or bucket-level. This setting will override any bucket or object ACLs that might expose data in S3 buckets to the public.
If this AWS account is part of an AWS Organization, use a Service Control Policy (SCP) to prevent users in the account from modifying this setting.
Enable S3 Bucket Default Encryption to enforce encryption on all objects stored in an S3 bucket. Default encryption can be configured to use server-side encryption with either Amazon S3-managed keys (SSE-S3) or customer master keys (CMKs) stored in AWS Key Management Service (AWS KMS).
S3 Buckets default to TLS encrypted communication, but the S3 API also supports HTTP connections. It is best practice to use S3 bucket policies to ensure clear-text communication is denied.
Access to S3 buckets is controlled through a combination of identity-based policies (IAM Policies applied to IAM principals such as users or roles), and resource-based policies (S3 Bucket Policies applied on the S3 buckets). Use S3 bucket policies to ensure only authorized principles are allowed to access the bucket and data:
Enable IAM Access Analyzer for continuous monitoring of access policies of S3 Buckets to ensure that no external access to the public or other AWS accounts is enabled.
Use VPC Endpoints to provide private access from VPCs to S3 Buckets directly without having to provide Internet access to the VPC. VPC Endpoints also provide an additional access control mechanism through Endpoint Policies which allow further control on what S3 buckets and actions are allowed through the VPC.
S3 bucket policies can also be used to restrict access to S3 buckets to specific VPCs or VPC Endpoints only.
S3 Buckets don't provide logging for object-level activity (data-plane logs) such as viewing or downloading files on an S3 bucket. AWS provides two methods for enabling access logging on S3:
In addition to enabling access logs for S3 buckets, it is important to set up a comprehensive monitoring and compliance strategy by configuring the relevant AWS services and setting up alarms and notifications for critical events:
Use the following packages to enable the required logging services, as well as compliance and monitoring rules for S3:
Amazon S3 provides several features to protect data against accidental or malicious deletion or corruption:
A data classification strategy is required to prevent data loss in an environment. Amazon Macie (as well as 3rd-party partner tools) help with automatically discovering, classifying, and monitoring data on S3 buckets.