Simple Storage Service (S3)

Authentication and authorisation

AWS controls access to S3 buckets using ACLs. Access can be controlled at the entire bucket level (along with all objects inside this bucket) and on a specific object level (for example, let’s suppose you would like to share a specific file with several of your colleagues).

The effective permissions of an S3 bucket are the sum of SCPs with identity permissions (IAM policies), total resource permissions (bucket policies), and an AWS KMS policy (such as allowing access to an encrypted object), assuming the user was not denied in any of the previous criteria.

• Identity and access management in Amazon S3

• IAM policies, bucket policies, and ACLs

• How IAM roles differ from resource-based policies

• Amazon S3 Preventative Security Best Practices

• Setting default server-side encryption behaviour for Amazon S3 buckets

• Consider encryption of data at rest

Best practices

• Create an IAM group, add users to the IAM group, and grant the required permissions on the target S3 bucket to the target IAM group.

• Use IAM roles for services (such as applications or non-human identities) that require access to S3 buckets.

• Restrict access for IAM users/groups to a specific S3 bucket, rather than using wildcard permissions for all S3 buckets in the AWS account.

• Remove default bucket owner access permissions to S3 buckets.

• Use IAM policies for applications (or non-human identities)/service-linked roles that need access to S3 buckets.

• Enable MFA delete for S3 buckets to avoid the accidental deletion of objects from a bucket.

• Grant minimal permissions to S3 buckets (that is, a specific identity on a specific resource with specific conditions).

• Use the bucket ACL’s write permissions for the Amazon S3 log delivery group to allow this group the ability to write access logs (for further analysis).

• For data that you need to retain for long periods (due to regulatory requirements), use the S3 object lock to protect the data from accidental deletion.

• Encrypt data at rest using Amazon S3-Managed Encryption Keys (SSE-S3).

• For sensitive environments, encrypt data at rest using Customer-Provided Encryption Keys (SSE-C).

Network access

Amazon S3 is a managed service, and located outside the customer’s Virtual Private Cloud (VPC). It is important to protect access to the Amazon S3 service.

• Internetwork traffic privacy

• AWS PrivateLink for Amazon S3

• Protecting data using encryption

• Setting default server-side encryption behaviour for Amazon S3 buckets

• Consider encryption of data at rest

• Enforce encryption of data in transit

• Using S3 Object Lock

• Using presigned URLs

Best practices

• Unless there is a business requirement to share data publicly (such as static web hosting), keep all Amazon S3 buckets (all tiers) private.

• To secure access from your VPC to the Amazon S3, use AWS PrivateLink. This keeps traffic internally inside the AWS backbone, through a secure channel, using the interface’s VPC endpoint.

• For sensitive environments, use bucket policies to enforce access to an S3 bucket from a specific VPC endpoint or a specific VPC.

• Use bucket policies to enforce the use of transport encryption (HTTPS only).

• For sensitive environments, use bucket policies to require TLS version 1.2 as the minimum.

• Encrypt data at rest using SSE-S3.

• For sensitive environments, encrypt data at rest using SSE-C.

• Consider using presigned URLs for scenarios where you need to allow external user access (with specific permissions, such as file download) to an S3 bucket for a short period, without the need to create an IAM user.

Auditing and monitoring

AWS allows you to enable logging and auditing using Amazon CloudWatch and AWS CloudTrail.

• Logging Amazon S3 API calls using AWS CloudTrail

• Logging requests using server access logging

• Amazon S3 Monitoring and Auditing Best Practices

• Reviewing bucket access using Access Analyzer for S3

• Amazon S3 inventory

Best practices

• Enable Amazon CloudWatch alarms for excessive S3 usage (for example, a high volume of GET, PUT, or DELETE operations on a specific S3 bucket).

• Enable AWS CloudTrail for any S3 bucket to log any activity performed on Amazon S3 by any user, role, or AWS service.

• Limit access to the CloudTrail logs to a minimum number of employees, preferably those with an AWS management account.

• Enable S3 server access logs to record all access activities as complimentary to AWS CloudTrail API-based logging (for the purpose of future forensics).

• Use Access Analyzer for S3 to locate S3 buckets with public access or S3 buckets that have access from external AWS accounts.

• Enable file integrity monitoring to make sure files have not been changed.

• Enable object versioning to avoid accidental deletion (and to protect against ransomware).

• Use Amazon S3 inventory to monitor the status of S3 bucket replication (such as encryption on both the source and destination buckets).