Related Books
Guide to Prompt Engineering

Guide to Prompt Engineering
Introduction to C Programming Language

Introduction to C Programming Language
TypeScript for Java Developers by CodeAhoy

TypeScript for Java Developers by CodeAhoy
Ruby for Beginners

Ruby for Beginners
The Little ASP.NET Core Book

The Little ASP.NET Core Book

View all

Storage - S3 Security

In this chapter

S3 Security

  • Bucket owner = root account owning the e-mail address.
  • It supports Gateway VPC endpoints to be accessed in VPC without internet access
    • Gateway VPC Endpoint = an endpoint network interface (ENI)
  • Object / Bucket Permissions
    • User permissions: User ID has Read / Write access to Bucket / Object?
    • Public permissions: Public read access to bucket or not
    • System permissions: Grant Amazon S3 Log Delivery group write access to the group
  • MFA Delete
    • MFA (multi factor authentication) forces user to generate a code on device (mobile phone or hardware) before doing important operations on S3.
    • To use MFA-Delete, enable Versioning on the S3 bucket.
    • 💡 You will need MFA to
      • permanently delete an object version
      • suspend versioning on the bucket
    • 💡 Give only right users permissions for delete.
    • ❗ Only the bucket owner (root account) can enable/disable MFA-delete.
    • ❗ MFA-delete currently can only be enabled using the CLI
    • ❗ Affects only permanent deletes not delete markers
    • Flow: Create bucket with versioning -> Log-into root account -> Link to MFA Device (IAM -> Security Credentials) -> Generate root access keys -> Connect to CLI -> Set MFADelete=enabled with CLI command
  • S3 Pre-signed URLs
    • 📝 Allows granting access (URL) to one or more users for a certain amount and time and expire it.
      • URL can be used for GET (read) or PUT (upload).
      • Can generate pre-signed URLs using SDK (uploads as it’s harder) or CLI
      • Valid for a default of 3600 seconds, can change timeout with --expires-in <time-by-seconds> argument
    • Users given a pre-signed URL inherit the permissions of the person who generated the URL for GET / PUT
    • E.g. premium video service for logged in users where they can view & list & upload temporarily.
    • Command: presign <S3URI> --expires-in <time-by-seconds> --region <region-of-object>
      • 💡 You can run aws configure set default.s3.signature_version s3v4 for making URL to be compatible with KMS encrypted object before signing

Logging and Auditing

  • Logging and Audit
    • CloudTrail
      • Logs bucket-level API calls
      • Logs S3 object-level API activity e.g. GetObject, DeleteObject, and PutObject API operations.
      • Also called CloudTrail Data Events
    • S3 access logs
      • Logs object-level API activity
      • Flow: Go to properties -> Turn on Server Access Logging -> Choose bucket

    • Access logs vs Object-Level CloudTrail logs

        Server Access Logging Object-Level Logging
      Complexity Low High
      Format Loosely-structured, space-delimited text records JSON
      Delivery Timeliness & delivery are not guaranteed API calls within 15 min are a captured and sent within 5 min
      Filtering No filtering Cloud Trail (basic), Cloud Watch (advanced, e.g. regex)
      Integrations S3 S3, CloudTrail, CloudWatch
      Costs S3 S3, CloudTrail, CloudWatch
    • ❗ Do not store your own access logs in the same bucket, otherwise; recursion
    • Data can be analyzed using data analysis tools
      • Also Amazon Athena and S3 Select can be used to query access logs
    • You can set prefixes for the logs

Policies

  • User based policies
    • IAM policies
    • which API calls should be allowed for specific user from IAM console
    • 💡 IAM policies instead of S3 bucket policies are in general more operationally efficient.
      • You need to control access to AWS services other than S3
        • Easier to manage everything from IAM instead of spreading
      • You have numerous S3 buckets each with different permissions requirements
        • Easier to manage with a few IAM policies instead of policy per bucket.
  • Resource based policies
    • 📝 Bucket policies
      • Allows cross account
      • JSON based policy (can be generated from Policy Generator)
        • Resources: buckets or objects
        • Actions: Set of API to Allow or Deny
        • Effect: Allow / Deny
        • Principal: The account or user to apply the policy to
      • 💡 Use-cases
        • 📝Force objects to be encrypted at upload
          1. Save statements in Bucket Policy:
            1. Create bucket policy -> Deny if any principal ( * ) uses action PutObject has condition header x-amz-server-side-encryption EqualsTo null is true.
            2. Create bucket policy -> Deny if any principal ( * ) uses action PutObject has condition header x-amz-server-side-encryption StringNotEquals AES256
          2. Set Default Encryption as Amazon S3 master-key to set the right header when uploading from console.
        • Grant access to another account (Cross Account)
        • Grant public access to the bucket
      • Syntax for including root and its endpoints
        • ❗ Careful: In policies if you use arn (amazon resource name) with only / e.g.it’ll not apply policy to all endpoints under it you need to define it as with /*.
          • E.g. arn:awss3::::thebucketname/* instead of arn:awss3::::thebucketname/.
          • URL with /* will not include the root URL, if you need root as well use both / and /*.
    • Object Access Control List (ACL)
      • Access policy option to grant basic read/write permissions to other AWS accounts on object level.
        • E.g. account X can list objects, write objects, read bucket permissions, write bucket permissions
    • Bucket Access Control List (ACL): Less common
    • Glacier
      • Can have:
        • Single resource-based vault access policy
        • Single Vault Lock policy
          • For compliance e.g. can deny users permissions to delete an archive until the archive has existed for one year.
          • 💡 After the vault is locked it cannot be unlocked

Encryption

  • Encryption at rest
    • S3 Glacier encrypts your data at rest by default.
    • 4 methods of encrypting objects:
      1. SSE-S3 (Server Side Encryption - S3)
        • Encrypts S3 objects using keys handled & managed by AWS
        • Object is encrypted server side
        • AES-256
          • 📝 You must set header "x-amz-server-side-encryption":"AES256"
        • S3 provides S3 Managed Data Key as encryption key
          • Also called Amazon S3 master-key
        • Works with HTTP + HTTPS
      2. SSE-KMS (Server Side Encryption - Key Management Service)
        • Leverage AWS Key Management Service to manage encryption
        • KMS advantages: user control (over rotation of key) + audit trail (how the key was used)
        • Object is encrypted server side
        • 📝 Must set header "x-amz-server-side-encryption":"aws:kms"
        • KMS generates & uses CMK (Customer Master Key) as encryption key.
          • Also called AWS KMS master-key
          • You can select a key from KMS
        • Works with HTTP + HTTPS
        • 💡 Maintain control of the rotation policy for the encryption keys, but not know the encryption keys values
      3. SSE-C (Server Side Encryption - Customer)
        • When you want to fully manage your own encryption keys
        • ❗ HTTPS must be used (no HTTP)
        • Encryption key must be provided in HTTP headers for every HTTP request made
        • Uses client side data key
        • Amazon does the encryption & throws every key and returns data.
        • 💡 Recommended over client side encryption if you need to ensure that encryption is always used.
      4. Client Side Encryption
        • Client library such as Amazon S3 Encryption Client makes it easier.
        • Clients encrypt & decrypt data themselves
        • Clients fully manages the keys and the encryption cycle
        • Works with HTTP + HTTPS

    • Responsibilities

      Encryption type Who en/decrypts the data Who stores the secret Who manages the secret
      SSE-S3 AWS AWS AWS
      SSE-KMS (AWS managed CMK) AWS AWS AWS
      SSE-KMS (customer managed CMK) AWS AWS you
      SSE-C AWS you you
      AWS SDK + KMS (AWS managed CMK) you AWS AWS
      AWS SDK + KMS (customer managed KMS) you AWS you
      AWS SDK + self-managed secret you you you
    • SDK
      • AWS SDK supports for Amazon S3 Client-Side Encryption
      • AWS Encryption SDK is an encryption library that is separate from the language–specific SDKs.
      • Difference between AWS SDK (in language-specific AWS SDKs) vs Encryption SDK
        • Encryption SDK is not tied to Amazon S3 and can be used to encrypt or decrypt data to be stored anywhere.
        • Good for enforcing best practices in organization.
  • Encryption in transit (SSL)
    • 📝Achieved by SSL/TLS
    • S3 exposes HTTP and HTTPS URL, HTTP has encryption in flight.
  • Default Encryption
    • Encryption is per object level, but you might want to enforce encryption of all objects.
    • Old way: Use a bucket policy and refuse any HTTP command without the proper headers
    • New way: Enable Default Encryption setting on S3 by ticking.
      • Bucket policies are evaluated before default encryption
      • You can choose between SSE-S3 (AES-256) or SSE-KMS (AWS-KMS)

Licenses and Attributions

Speak Your Mind

-->