S3 Security: Build-In Security Features and 4 Critical Best Practices

Amazon S3 (Simple Storage Service) is a highly scalable and secure object storage service provided by Amazon Web Services.

July 17, 2023

What Is Amazon S3 Security? 

Amazon S3 (Simple Storage Service) is a highly scalable and secure object storage service provided by Amazon Web Services. S3 provides developers and businesses with a secure and cost-effective way to store and retrieve data, with unlimited scalability.

S3 security refers to the set of practices and features provided by AWS to secure S3 data from unauthorized access, tampering, and data loss. S3 security includes several layers of protection, including access control, encryption, and monitoring.

This is part of a series of articles about cloud security

In this article:

AWS S3 Built-In Security Features 

Amazon S3 Data Protection

Amazon S3 provides a highly durable storage infrastructure that is designed for mission-critical and primary data storage. This infrastructure ensures that objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3 Region, which helps to protect against data loss due to hardware failures or disasters.

To ensure data durability, Amazon S3 creates multiple copies of each object, and can also synchronously store data across multiple cloud data centers. After objects are stored, Amazon S3 maintains their durability by quickly detecting and repairing any lost redundancy.

Amazon S3 standard storage is designed to provide 99.999999999% durability and 99.99% availability of objects over a given year. It is also designed to sustain the concurrent loss of data in two facilities, which helps to protect against data loss due to disasters.

Amazon S3 further protects data using versioning. Versioning allows users to preserve, retrieve, and restore every version of every object that is stored in an Amazon S3 bucket. This means that users can easily recover from both unintended user actions and application failures. By default, requests retrieve the most recently written version. Users can retrieve older versions of an object by specifying a version of the object in a request.

AWS PrivateLink for Amazon S3

AWS PrivateLink for Amazon S3 is a service that enables customers to securely access Amazon S3 over a private network connection, without using the public internet. It can help improve security, reduce data transfer costs, and enhance network performance. 

AWS PrivateLink for Amazon S3 creates a network interface in a virtual private cloud (VPC) that serves as a proxy to Amazon S3. The interface is then connected to a VPC endpoint, which provides a secure and direct connection to Amazon S3 without traversing the internet. This connection is entirely private and is accessible only within the customer’s VPC.

Security with AWS PrivateLink for S3

Source: Amazon Web Services

Amazon S3 Data Encryption

Amazon S3 Supports both server-side and client-side encryption to encrypt data stored in its service. This encryption helps to protect against unauthorized access to data at rest.

Server-side encryption 

This option automatically encrypts data at rest using either AWS-managed keys or customer-managed keys. With server-side encryption, data is encrypted before it is written to disk, and decrypted when it is read. 

AWS-managed keys are managed by Amazon S3, while customer-managed keys are generated and managed by customers using AWS Key Management Service (KMS). With customer-managed keys, customers have full control over their encryption keys, including key rotation and deletion.

Client-side encryption 

This option allows users to encrypt data before uploading it to Amazon S3. The encryption is performed on the client side using a customer-managed encryption key. With client-side encryption, data is encrypted before it leaves the client’s environment, and decrypted when it is read.

Amazon S3 also provides additional encryption features, such as encryption in transit using SSL/TLS, and support for Amazon S3 Inventory, which provides a report of objects and their encryption status.

Identity and Access Management in Amazon S3

Identity and Access Management (IAM) is a security service provided by AWS that enables customers to manage access to resources in their AWS accounts. Amazon S3 integrates with IAM to provide granular control over who can access data stored in Amazon S3 buckets.

With IAM, customers can create and manage AWS users and groups, and assign permissions to them based on their roles and responsibilities. These permissions can be specified at the bucket level, object level, or both. IAM also supports temporary security credentials, which enable users to access Amazon S3 buckets for a limited time period.

4 Amazon S3 Security Best Practices 

While Amazon provides robust security features for S3, customer organizations must securely configure their S3 buckets to ensure they are secure. In addition, many organizations will need additional security measures beyond the native capabilities provided by AWS. In many cases, this will take the form of Cloud Security Posture Management (CSPM), described below.

1. Disable Access Control Lists (ACLs)

ACLs are a legacy method of controlling access to buckets and objects in Amazon S3. They allow customers to grant permissions to individual AWS accounts or to public access for individual objects or buckets. However, managing ACLs can be complex, and it can be difficult to determine which accounts have access to buckets and objects.

Additionally, ACLs can introduce security risks because they are not as flexible or powerful as other access control methods in Amazon S3. For example, it can be challenging to implement fine-grained permissions for specific buckets and objects using ACLs. This can lead to potential security vulnerabilities, such as granting excessive permissions to users or applications.

Therefore, it is recommended to disable ACLs and use bucket policies and IAM policies to control access to Amazon S3 buckets and objects. Bucket policies and IAM policies are more powerful and flexible than ACLs, and they can provide fine-grained control over access to resources. They are also easier to manage and can be more secure than ACLs.

2. Implement Least Privilege Access

Implementing the principle of least privilege access involves granting users and applications only the minimum permissions required to perform their tasks. By granting the minimum necessary permissions, organizations can reduce the risk of data breaches and ensure that data is only accessible to authorized users.

In Amazon S3, the principle of least privilege access can be implemented by using AWS IAM policies to control access to buckets and objects. IAM policies are JSON documents that define permissions for AWS resources, including Amazon S3 buckets and objects.

For example, policies can be used to grant read-only access to specific objects, or to grant write access to a specific bucket. IAM policies can also be used to specify conditions for access, such as restricting access to specific IP addresses or requiring multi-factor authentication for certain operations.

3. Consider VPC Endpoints for Amazon S3 Access 

A VPC endpoint for Amazon S3 is a logical entity within a VPC that allows connectivity only to Amazon S3. It provides a secure and private way to access Amazon S3 buckets and objects from within a VPC, without traversing the public internet. VPC endpoints can help prevent traffic from potentially traversing the open internet and being subject to open internet environments.

When a VPC endpoint for Amazon S3 is created, a private IP address is assigned to the endpoint. This private IP address can then be used to connect to Amazon S3 securely from within the VPC. The connection is entirely private and is accessible only within the customer’s VPC. VPC endpoints can also help prevent data exfiltration by using a VPC that does not have an internet gateway.

VPC endpoints provide multiple ways to control access to Amazon S3 data. Customers can control the requests, users, or groups that are allowed through a specific VPC endpoint. Additionally, they can control which VPCs or VPC endpoints have access to their S3 buckets by using S3 bucket policies, which provide fine-grained control over who can access data in a bucket.

4. Use Cloud Security Posture Management (CSPM) 

Cloud Security Posture Management (CSPM) is an approach to cloud security that focuses on identifying and addressing misconfigurations and other security issues in cloud infrastructure. CSPM solutions help organizations to monitor their cloud environments for potential misconfigurations, security risks, and other issues that could put their data at risk.

One of the key areas where CSPM can be particularly useful is in preventing S3 misconfigurations. S3 buckets are frequently used to store sensitive data in the cloud, and misconfigurations can potentially expose this data to unauthorized access or loss. CSPM solutions can help organizations to identify and prevent S3 misconfigurations by providing the following capabilities:

  • Automated discovery and inventory of S3 buckets: CSPM solutions can automatically discover and inventory S3 buckets in an organization’s cloud environment. This can help organizations to get a complete view of their S3 usage and identify any buckets that may have been created without proper controls in place.
  • Continuous monitoring for misconfigurations: CSPM solutions can monitor S3 buckets on an ongoing basis to detect any misconfigurations that may put data at risk. This can include checks for public access, unencrypted data, and other security risks.
  • Policy enforcement: CSPM solutions can help enforce security policies related to S3 usage. For example, policies can be put in place to prevent public access to S3 buckets, require encryption of data in transit and at rest, and control who can manage S3 buckets.
  • Remediation: When misconfigurations are detected, CSPM solutions can provide guidance on how to remediate them. This can include step-by-step instructions on how to update bucket policies, change access controls, and enable encryption.

AWS Security with Aqua

The Aqua Cloud Native Security Platform empowers you to unleash the full potential of your cloud native transformation and accelerate innovation with the confidence that your cloud native applications are secured from start to finish, at any scale.

Aqua’s platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads across VMs, containers, and serverless functions wherever they are deployed, on any cloud.

Secure the cloud native buildshift left security to nip threats and vulnerabilities in the bud, empowering DevOps to detect issues early and fix them fast. Aqua scans artifacts for vulnerabilities, malware, secrets and other risks during development and staging. It allows you to set flexible, dynamic policies to control deployment into your runtime environments.

Secure cloud native infrastructure – Automate compliance and security posture of your public cloud IaaS and Kubernetes infrastructure according to best practices. Aqua checks your cloud services, Infrastructure-as-Code templates, and Kubernetes setup against best practices and standards, to ensure the infrastructure you run your applications on is securely configured and in compliance. 

Secure cloud native workloads – protect VM, container and serverless workloads using granular controls that provide real-time detection and granular response, only blocking the specific processes that violate police. Aqua leverages modern micro-services concepts to enforce immutability of your applications in runtime, establishing zero-trust networking, and detecting and stopping suspicious activities, including zero-day attacks.

Secure hybrid cloud infrastructure – apply cloud native security over hybrid-cloud and multi-cloud deployments, with persistent controls that follow your workloads wherever they run.