S3 Security
User Based
- IAM Policies – what calls should be allowed for a specific IAM’s user
Resources Based (can be account)
- Bucket Policies – bucket wide rules from S3 console. Can allow cross accounts and public access.
- Object Access Control List (ACL)
- Bucket Access Control List
IAM principal can access S3 object if:
- user IAM permissions allow OR resource policy allows
- AND No explicit deny
Bucket Policies
- grant access to bucket
- force objects to be encrypted at upload
- grant access to another account
Bucket setting for public access override policy to prevent data leaks (can be set at account level).
Note: versioning is enabled at bucket level
S3 Replication
Version must be enabled.
- Asynchronous
- CRR – Cross Region Replication
- SRR – Same Region Replication
Buckets can be in different accounts but necessary policies must be set in the original bucket.
Use cases:
- CRR – compliance, lower latency access, replication
- SRR – log aggregation, live replication between stages
S3 Encryption
Server side encryption – at rest, enabled by default
Client side encryption – on transit, must be set by customer
Tools
AWS Macie
Uses pattern matching and machine learning to automatically discover sensitive data in S3 buckets.
IAM Access Analyzer
Feature to monitor S3 Buckets, evaluates S3 buckets, policies, ACL, access point policies.