cloud engineering
S3 Security Fundamentals: Protecting Your Data in the Cloud
Securing your data stored in Amazon S3 is paramount. AWS provides a comprehensive set of security features to ensure confidentiality, integrity, and availability.
Ryan McBride
Ryan McBride
alt

Source: Davide Aracri on Unsplash

Encryption

Amazon S3 offers various Server-Side Encryption (SSE) options to protect data at rest:

  • SSE-S3: By default, S3 manages the encryption keys.
  • SSE-KMS: Leverages AWS Key Management Service (KMS) to manage encryption keys.
  • SSE-C: Allows you to provide your own encryption keys for S3 to use while writing to disk. You manage the keys.
  • DSSE-KMS: Dual-layer Server-Side Encryption with KMS (nice-to-know).

You can also implement Client-Side Encryption, where you encrypt data before uploading it to S3.

When using KMS, be aware of potential KMS limits. You can request a quota increase using the Service Quotas Console. The default KMS key for S3 encryption is free, while using a custom KMS key will incur a cost.

CORS (Cross-Origin Resource Sharing)

CORS allows web applications running under one origin to access resources from a different origin.

Origin = scheme (protocol) + host (domain) + port

  • Example: https://www.example.com (implied port 443 for HTTPS)
  • Example: http://www.example.com (implied port 80 for HTTP)

Requests from one origin to another will not be fulfilled unless the receiving origin explicitly allows the request using CORS Headers (e.g., Access-Control-Allow-Origin).

* If a client makes a cross-origin request on our S3 bucket, we need to enable the correct CORS headers to permit the request.

MFA Delete (Multi-Factor Authentication Delete)

MFA Delete adds an extra layer of security to protect against accidental or malicious deletion of objects in your S3 buckets.

  • Versioning must be ENABLED on the bucket to use MFA Delete.
  • Only the bucket owner (root account) can enable or disable MFA Delete.

Access Logs

S3 Access Logs provide an audit trail by logging all access requests made to your S3 buckets.

  • The logging bucket must be in the same AWS region as the bucket being monitored.
  • Do NOT set the logging bucket to be the same as the monitored bucket. This can create a logging loop, leading to exponential growth in logs and increased costs.

Pre-Signed URLs

Pre-Signed URLs provide temporary access to your S3 objects, allowing users to upload or download files without needing AWS security credentials directly.

S3 Object Lock

S3 Object Lock helps you store objects using a WORM (Write Once Read Many) model, preventing objects from being deleted or overwritten for a specified period.

  • Versioning must be enabled on the bucket to use Object Lock.
  • Allows you to block object version deletion for a specified amount of time.

Retention Modes:

  • Compliance:
    • Object versions cannot be overwritten or deleted by any user, including the root user.
    • Object retention modes cannot be changed, and retention periods cannot be shortened.
  • Governance:
    • Most users cannot overwrite or delete an object version or alter its lock settings.
    • Some users with special permissions can change the retention or delete the object.

Retention Period: Protects the object for a fixed duration, which can be extended.

Legal Hold:

  • Protects the object indefinitely, independent of any retention period.
  • Can be freely placed and removed using the s3:PutObjectLegalHold IAM permission.

S3 Access Points

Access Points simplify security management for S3 Buckets by creating named network endpoints with specific access policies.

Each Access Point has:
  • Its own DNS name (Internet Origin or VPC Origin).
  • An access point policy (similar to a bucket policy) to manage security at scale.