Skin
Layout Boxed
Direction

S3 Security and Data Protection Overview

Submitted by heartin on Sat, 12/09/2017 - 12:08

Amazon S3 is designed to be secure by default: All newly created buckets are private by default. Only the bucket and object owners originally have access to Amazon S3 resources they create. 

 

Access Control to S3 Resources

Access control to your bucket can be setup using:

  1. IAM Policies

    1. Can grant IAM users fine-grained control to their Amazon S3 bucket or objects while also retaining full control over everything the users do

  2. Bucket policies

    1. Can define rules for all requests to their S3 resources, such as granting write privileges to a subset of S3 resources. 

    2. Can also restrict access based on an aspect of the request, such as HTTP referrer and IP address.  

  3. Access control lists

    1. Can grant specific permissions (i.e. READ, WRITE, FULL_CONTROL) to specific users for an individual bucket or object.

  4. Query string authentication

    1. Can create a URL to an Amazon S3 object which is only valid for a limited time. 

 

S3 Data Protection Features

S3 provides following features for data protection:

  1. Amazon S3 is designed to sustain the concurrent loss of data in two facilities.

  2. When processing a request to store data, the service will redundantly store your object across multiple facilities before returning SUCCESS.

  3. Amazon S3 also regularly verifies the integrity of your data using checksums and repairs any corruption using redundant data. S3 uses a combination of Content-MD5 checksums and cyclic redundancy checks (CRCs).

  4. Once you enable Versioning for a bucket, Amazon S3 preserves existing objects anytime you perform a PUT, POST, COPY, or DELETE operation on them. 

    1. Only the owner of an Amazon S3 bucket can permanently delete a version.

    2. Versioning’s MFA Delete capability, which uses multi-factor authentication, can be used to provide an additional layer of security.

 

Additional Notes - Security

  1. S3 buckets can be configured to log access logs for data access auditing. This can be done to another bucket as well.

  2. Bucket policies can allow, mandate or forbid encryption at bucket or object level.

  3. You can limit access to your bucket from a specific Amazon VPC Endpoint or a set of endpoints using Amazon S3 bucket policies. S3 bucket policies now support a condition, aws:sourceVpce, that you can use to restrict access. 

    1. Note: An Amazon VPC Endpoint for Amazon S3 is a logical entity within a VPC that allows connectivity only to S3. The VPC Endpoint routes requests to S3 and routes responses back to the VPC. 

Tags: 

AWS Security & IAM
S3 Features Overview

References: 

https://aws.amazon.com/s3/faqs/

Comments

sireesha A's picture

Submitted by sireesha A on Mon, 07/06/2020 - 17:05

Good, what is Forbid Encryption?

Partners and Platforms

Learn Serverless from Serverless Programming Cookbook

Contact

Please first use the contact form or facebook page messaging to connect.

Offline Contact
We currently connect locally for discussions and sessions at Bangalore, India. Please follow us on our facebook page for details.
WhatsApp (Primary): (+91) 7411174113
Phone (Escalations): (+91) 7411174114

Business newsletter

Complete the form below, and we'll send you an e-mail every now and again with all the latest news.

About

CloudMaterials is my blog to share notes and learning materials on Cloud and Data Analytics. My current focus is on Microsoft Azure and Amazon Web Services (AWS).

I like to write and I try to document what I learn to share with others. I believe that knowledge is useless unless you share it; the more you share, the more you learn.

Partner Sites

Recent comments

Photo Stream