Storage - S3 Security

S3 Security

  • Bucket owner = root account owning the e-mail address.
  • It supports Gateway VPC endpoints to be accessed in VPC without internet access
    • Gateway VPC Endpoint = an endpoint network interface (ENI)
  • Object / Bucket Permissions
    • User permissions: User ID has Read / Write access to Bucket / Object?
    • Public permissions: Public read access to bucket or not
    • System permissions: Grant Amazon S3 Log Delivery group write access to the group
  • MFA Delete
    • MFA (multi factor authentication) forces user to generate a code on device (mobile phone or hardware) before doing important operations on S3.
    • To use MFA-Delete, enable Versioning on the S3 bucket.
    • ๐Ÿ’ก You will need MFA to
      • permanently delete an object version
      • suspend versioning on the bucket
    • ๐Ÿ’ก Give only right users permissions for delete.
    • โ— Only the bucket owner (root account) can enable/disable MFA-delete.
    • โ— MFA-delete currently can only be enabled using the CLI
    • โ— Affects only permanent deletes not delete markers
    • Flow: Create bucket with versioning -> Log-into root account -> Link to MFA Device (IAM -> Security Credentials) -> Generate root access keys -> Connect to CLI -> Set MFADelete=enabled with CLI command
  • S3 Pre-signed URLs
    • ๐Ÿ“ Allows granting access (URL) to one or more users for a certain amount and time and expire it.
      • URL can be used for GET (read) or PUT (upload).
      • Can generate pre-signed URLs using SDK (uploads as itโ€™s harder) or CLI
      • Valid for a default of 3600 seconds, can change timeout with --expires-in <time-by-seconds> argument
    • Users given a pre-signed URL inherit the permissions of the person who generated the URL for GET / PUT
    • E.g. premium video service for logged in users where they can view & list & upload temporarily.
    • Command: presign <S3URI> --expires-in <time-by-seconds> --region <region-of-object>
      • ๐Ÿ’ก You can run aws configure set default.s3.signature_version s3v4 for making URL to be compatible with KMS encrypted object before signing

Logging and Auditing

  • Logging and Audit
    • CloudTrail
      • Logs bucket-level API calls
      • Logs S3 object-level API activity e.g. GetObject, DeleteObject, and PutObject API operations.
      • Also called CloudTrail Data Events
    • S3 access logs
      • Logs object-level API activity
      • Flow: Go to properties -> Turn on Server Access Logging -> Choose bucket
    • Access logs vs Object-Level CloudTrail logs

      ย  Server Access Logging Object-Level Logging
      Complexity Low High
      Format Loosely-structured, space-delimited text records JSON
      Delivery Timeliness & delivery are not guaranteed API calls within 15 min are a captured and sent within 5 min
      Filtering No filtering Cloud Trail (basic), Cloud Watch (advanced, e.g. regex)
      Integrations S3 S3, CloudTrail, CloudWatch
      Costs S3 S3, CloudTrail, CloudWatch
    • โ— Do not store your own access logs in the same bucket, otherwise; recursion
    • Data can be analyzed using data analysis tools
      • Also Amazon Athena and S3 Select can be used to query access logs
    • You can set prefixes for the logs


  • User based policies
    • IAM policies
    • which API calls should be allowed for specific user from IAM console
    • ๐Ÿ’ก IAM policies instead of S3 bucket policies are in general more operationally efficient.
      • You need to control access to AWS services other than S3
        • Easier to manage everything from IAM instead of spreading
      • You have numerous S3 buckets each with different permissions requirements
        • Easier to manage with a few IAM policies instead of policy per bucket.
  • Resource based policies
    • ๐Ÿ“ Bucket policies
      • Allows cross account
      • JSON based policy (can be generated from Policy Generator)
        • Resources: buckets or objects
        • Actions: Set of API to Allow or Deny
        • Effect: Allow / Deny
        • Principal: The account or user to apply the policy to
      • ๐Ÿ’ก Use-cases
        • ๐Ÿ“Force objects to be encrypted at upload
          1. Save statements in Bucket Policy:
            1. Create bucket policy -> Deny if any principal ( * ) uses action PutObject has condition header x-amz-server-side-encryption EqualsTo null is true.
            2. Create bucket policy -> Deny if any principal ( * ) uses action PutObject has condition header x-amz-server-side-encryption StringNotEquals AES256
          2. Set Default Encryption as Amazon S3 master-key to set the right header when uploading from console.
        • Grant access to another account (Cross Account)
        • Grant public access to the bucket
      • Syntax for including root and its endpoints
        • โ— Careful: In policies if you use arn (amazon resource name) with only / e.g.itโ€™ll not apply policy to all endpoints under it you need to define it as with /*.
          • E.g. arn:awss3::::thebucketname/* instead of arn:awss3::::thebucketname/.
          • URL with /* will not include the root URL, if you need root as well use both / and /*.
    • Object Access Control List (ACL)
      • Access policy option to grant basic read/write permissions to other AWS accounts on object level.
        • E.g. account X can list objects, write objects, read bucket permissions, write bucket permissions
    • Bucket Access Control List (ACL): Less common
    • Glacier
      • Can have:
        • Single resource-based vault access policy
        • Single Vault Lock policy
          • For compliance e.g. can deny users permissions to delete an archive until the archive has existed for one year.
          • ๐Ÿ’ก After the vault is locked it cannot be unlocked


  • Encryption at rest
    • S3 Glacier encrypts your data at rest by default.
    • 4 methods of encrypting objects:
      1. SSE-S3 (Server Side Encryption - S3)
        • Encrypts S3 objects using keys handled & managed by AWS
        • Object is encrypted server side
        • AES-256
          • ๐Ÿ“ You must set header "x-amz-server-side-encryption":"AES256"
        • S3 provides S3 Managed Data Key as encryption key
          • Also called Amazon S3 master-key
        • Works with HTTP + HTTPS
      2. SSE-KMS (Server Side Encryption - Key Management Service)
        • Leverage AWS Key Management Service to manage encryption
        • KMS advantages: user control (over rotation of key) + audit trail (how the key was used)
        • Object is encrypted server side
        • ๐Ÿ“ Must set header "x-amz-server-side-encryption":"aws:kms"
        • KMS generates & uses CMK (Customer Master Key) as encryption key.
          • Also called AWS KMS master-key
          • You can select a key from KMS
        • Works with HTTP + HTTPS
        • ๐Ÿ’ก Maintain control of the rotation policy for the encryption keys, but not know the encryption keys values
      3. SSE-C (Server Side Encryption - Customer)
        • When you want to fully manage your own encryption keys
        • โ— HTTPS must be used (no HTTP)
        • Encryption key must be provided in HTTP headers for every HTTP request made
        • Uses client side data key
        • Amazon does the encryption & throws every key and returns data.
        • ๐Ÿ’ก Recommended over client side encryption if you need to ensure that encryption is always used.
      4. Client Side Encryption
        • Client library such as Amazon S3 Encryption Client makes it easier.
        • Clients encrypt & decrypt data themselves
        • Clients fully manages the keys and the encryption cycle
        • Works with HTTP + HTTPS
    • Responsibilities

      Encryption type Who en/decrypts the data Who stores the secret Who manages the secret
      SSE-KMS (AWS managed CMK) AWS AWS AWS
      SSE-KMS (customer managed CMK) AWS AWS you
      SSE-C AWS you you
      AWS SDK + KMS (AWS managed CMK) you AWS AWS
      AWS SDK + KMS (customer managed KMS) you AWS you
      AWS SDK + self-managed secret you you you
    • SDK
      • AWS SDK supports for Amazon S3 Client-Side Encryption
      • AWS Encryption SDK is an encryption library that is separate from the languageโ€“specific SDKs.
      • Difference between AWS SDK (in language-specific AWS SDKs) vs Encryption SDK
        • Encryption SDK is not tied to Amazon S3 and can be used to encrypt or decrypt data to be stored anywhere.
        • Good for enforcing best practices in organization.
  • Encryption in transit (SSL)
    • ๐Ÿ“Achieved by SSL/TLS
    • S3 exposes HTTP and HTTPS URL, HTTP has encryption in flight.
  • Default Encryption
    • Encryption is per object level, but you might want to enforce encryption of all objects.
    • Old way: Use a bucket policy and refuse any HTTP command without the proper headers
    • New way: Enable Default Encryption setting on S3 by ticking.
      • Bucket policies are evaluated before default encryption
      • You can choose between SSE-S3 (AES-256) or SSE-KMS (AWS-KMS)

Licenses and Attributions

Speak Your Mind