S3 Security Strategy

Overview

Resources for implementing a comprehensive S3 security strategy. Included are customizable configuration items and packages, as well as guides for encryption, access control, logging, monitoring and compliance, backup and resilience options and more.

Prevent Public Access

Ensure S3 public access is not allowed by enabling the S3 Block Public Access feature. This can be enabled on the account-level or bucket-level. This setting will override any bucket or object ACLs that might expose data in S3 buckets to the public.

S3 Block Public Access (Account-Level)
Configuration Item
Add to Stack
Configure S3 Block Public Access on the AWS account level (applies to all S3 buckets in all regions).
S3 Bucket with Block Public Access Enabled
Configuration Item
Add to Stack
Configuration to create an S3 bucket with security configuration options including s3 block public access configuration, encryption, logging, and versioning
Use AWS Config to Monitor for and Respond to Amazon S3 Buckets Allowing Public Access
External: Solution/Guide
This blog post shows how to use AWS Config to monitor Amazon Simple Storage Service (S3) bucket ACLs and policies for violations which allow public read or public write access. If AWS Config finds a policy violation, it will trigger an Amazon CloudWatch Event rule to trigger an AWS Lambda function which either corrects the S3 bucket ACL, or notifies you via Amazon Simple Notification Service (Amazon SNS) that the policy is in violation and allows public read or public write access.

If this AWS account is part of an AWS Organization, use a Service Control Policy (SCP) to prevent users in the account from modifying this setting. 

SCP: Prevent Users from Modifying S3 Block Public Access Settings
Configuration Item
Add to Stack
This SCP prevents users or roles in any affected account from modifying the S3 Block Public Access Settings in an Account.

Encryption At-Rest

Enable S3 Bucket Default Encryption to enforce encryption on all objects stored in an S3 bucket. Default encryption can be configured to use server-side encryption with either Amazon S3-managed keys (SSE-S3) or customer master keys (CMKs) stored in AWS Key Management Service (AWS KMS).

S3 Bucket with Server-Side Encryption (AWS KMS)
Configuration Item
Add to Stack
Configuration to create an S3 bucket with security configuration options including s3 block public access configuration, encryption, logging, and versioning
Automatic Remediation Rule: Enable S3 Bucket Encryption If Not Configured
Configuration Item
Add to Stack
Auto remediation configuration to enable S3 Bucket Encryption if an S3 bucket created without server side encryption. Detection uses a managed AWS Config Rule and remediation is with SSM Automation.

Encryption In-Transit (TLS)

S3 Buckets default to TLS encrypted communication, but the S3 API also supports HTTP connections. It is best practice to use S3 bucket policies to ensure clear-text communication is denied.

Require SSL (encryption in-transit) to access the S3 Bucket
Configuration Item
Add to Stack
An S3 bucket policy that denies any access to the S3 bucket that is not encrypted in-transit (uses HTTP instead of HTTPS).

Access Control

Access to S3 buckets is controlled through a combination of identity-based policies (IAM Policies applied to IAM principals such as users or roles), and resource-based policies (S3 Bucket Policies applied on the S3 buckets). Use S3 bucket policies to ensure only authorized principles are allowed to access the bucket and data:

 

Bucket Policy: Restrict Access to Specific IP Addresses
Configuration Item
Add to Stack
A policy that grants permissions to any user to perform any Amazon S3 operations on objects in the specified bucket. However, the request must originate from the range of IP addresses specified in the condition.
Bucket Policy: Restrict Access to Specific IAM Users or Roles
Configuration Item
Add to Stack
An S3 Bucket policy that grants permissions to specific IAM users or roles to perform any Amazon S3 operations on objects in the specified bucket, and denies all other IAM principals.
Additional Custom S3 Bucket Policy Templates
Collection
A repository of customizable S3 Bucket Policies

VPC Access Control

Use VPC Endpoints to provide private access from VPCs to S3 Buckets directly without having to provide Internet access to the VPC. VPC Endpoints also provide an additional access control mechanism through Endpoint Policies which allow further control on what S3 buckets and actions are allowed through the VPC. 

S3 bucket policies can also be used to restrict access to S3 buckets to specific VPCs or VPC Endpoints only. 

Bucket Policy: Restrict Access to a Specific VPC Endpoint
Configuration Item
Add to Stack
n S3 Bucket policy that denies all access to the bucket if the specified VPC endpoint is not being used to access the S3 bucket.
Bucket Policy: Restrict Access to a Specific VPC
Configuration Item
Add to Stack
An S3 Bucket policy that denies all access to the bucket if the specified VPC is not being used to access the S3 bucket.
Deploy Amazon VPC Endpoints in an existing VPC
Configuration Item
Add to Stack
Configuration to create a VPC endpoint in an existing VPC. VPC endpoints allow private connectivity from an VPC to supported AWS services. Both Interface and Gateway endpoints are supported.
Private-Only Amazon VPC Template
Configuration Package
A configuration package to deploy an Amazon VPC with no Internet Connectivty. Connectivity to AWS services can be enabled using VPC Endpoints. Configuration items includes number of Subnets, Routing Tables, Security Groups, and VPC Flow Logs.

Access Logs

S3 Buckets don't provide logging for object-level activity (data-plane logs) such as viewing or downloading files on an S3 bucket. AWS provides two methods for enabling access logging on S3: 

  • Server Access Logs: Configured on the S3 bucket. Logs are stored in a target S3 bucket (can be the same bucket) in the same AWS account. This logging method is free.
  • CloudTrail Data Events: Data events can be configured to capture object-level events on an S3 bucket, multiple S3 buckets or all S3 buckets in an AWS account. Logs can be stored in S3 or forwarded to CloudWatch Logs. CloudTrail pricing applies.
S3 Bucket with Server Access Logs Enabled
Configuration Item
Add to Stack
Configuration to create an S3 bucket with security configuration options including s3 block public access configuration, encryption, logging, and versioning
Configure S3 Data Event Logging with CloudTrail
Configuration Item
Add to Stack
Configuration to enable AWS CloudTrail in an AWS account for logging S3 Data Events. Data Events for Amazon S3 record object-level API activity (for example, GetObject, DeleteObject, and PutObject API operations)

Monitoring and Compliance

 

In addition to enabling access logs for S3 buckets, it is important to set up a comprehensive monitoring and compliance strategy by configuring the relevant AWS services and setting up alarms and notifications for critical events:

  • AWS CloudTrail logs all API activity in the account including the creation/modification/deletion of S3 buckets or policies.
  • AWS Config tracks configuration changes in an environment and provides a historical view of S3 Buckets throughout their lifetime.
  • AWS Config Rules allows the configuration of compliance rules to ensure resources in the environment are configured properly and securely.
  • CloudWatch Alarms can be used to alert based on CloudTrail activity to alert on important S3 related events.

Use the following packages to enable the required logging services, as well as compliance and monitoring rules for S3:

S3 Events and Compliance Rules
Configuration Package
A configuration package to monitor S3 related API activity as well as configuration compliance rules to ensure the security of Amazon S3 configuration. The package includes Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups
A Collection of AWS Config Copmliance Rules
Collection
Repository of AWS Config rules examples - both AWS managed and custom Config rules.

Backup and Reslience

Amazon S3 provides several features to protect data against accidental or malicious deletion or corruption:

  • Cross-Region or Same-Region Replication: Enables automatic, asynchronous copying of objects in S3 buckets. The target buckets can be in the same AWS account or a different account. 
  • Object Versioning: Enable versioning on the S3 bucket to keep multiple versions of each object on the S3 bucket.
  • MFA Delete: If enabled on an S3 bucket, only the bucket owner (with MFA authentication) can delete objects or change the versioning state of the bucket. 
  • Object Lock: Enable object lock to prevent an object from being deleted for a fixed amount of time or indefinitely. 
S3 Bucket with Versioning Enabled
Configuration Item
Add to Stack
Configuration to create an S3 bucket with security configuration options including s3 block public access configuration, encryption, logging, and versioning
AWS Documentation: S3 Replication
External: Solution/Guide
Documentation on Cross-Region and Same-Region replication features for S3, how and when to use the features as well as guides for enabling. 
AWS Documentation: How to enable MFA Delete for S3 Buckets
External: Solution/Guide
Details on the MFA Delete feature for S3 and how to enable this feature for S3 buckets.
How to Protect data with Amazon S3 Object Lock
External: Solution/Guide
This blog post provides an overview of Amazon S3 Object Lock which is an Amazon S3 feature that allows you to store objects using a write once, read many (WORM) model. WORM protection is used for scenarios where it is imperative that data is not changed or deleted after it has been written.

Data Classification and DLP

A data classification strategy is required to prevent data loss in an environment. Amazon Macie (as well as 3rd-party partner tools) help with automatically discovering, classifying, and monitoring data on S3 buckets. 

Classify sensitive data in your environment using Amazon Macie
External: Solution/Guide
This blog post shows how to use Amazon Macie to implement data-centric compliance and security analytics for an Amazon S3 environment.
How to create custom alerts with Amazon Macie
External: Solution/Guide
This blog post shows how to use Amazon Macie to create custom alerts for data sets to notify you of events and objects of interest. The post goes through the various types of data Macie can find, and talks about how to identify fields that are relevant to a given security use case.
Data Classification Strategy Guidelines
External: Solution/Guide
Repository of AWS Config rules examples - both AWS managed and custom Config rules.

Other

Serverless Anti-Virus Scanning solution for S3
External: Solution/Guide
An open source serverless solution to scan S3 objcets as they are uploaded using AWS Lambda and ClamAV.
Open Source Tool: s3audit
External: Solution/Guide
A cli tool to check S3 Buckets in an AWS Account for security best practices.