I want to learn how to secure my Amazon S3 bucket by restricting access, monitoring resources, and encrypting data to protect my files and meet security best practices.
Short description
To secure your files and Amazon S3 buckets, follow these best practices:
Resolution
Restrict access to your S3 resources
By default, all S3 buckets are private and can be accessed only by users who are explicitly granted access.
Do the following to restrict access to your S3 buckets or objects:
- Write IAM user policies that specify the users that can access specific buckets and objects. IAM policies provide a programmatic way to manage Amazon S3 permissions for multiple users. For more information about creating and testing user policies, see the AWS Policy Generator and IAM Policy Simulator.
- Write bucket policies that define access to specific buckets and objects. Use a bucket policy to grant access across AWS accounts, grant public or anonymous permissions, and allow or block access based on conditions. For more information about creating and testing bucket policies, see the AWS Policy Generator.
Note: You can use a deny statement in a bucket policy to restrict access to specific IAM users. You can restrict access even if the users are granted access in an IAM policy.
- Use Amazon S3 Block Public Access as a centralized way to limit public access. Block Public Access settings override bucket policies and object permissions. Be sure to turn on Block Public Access for all accounts and buckets that you don't want publicly accessible.
- Set access control lists (ACLs) on your buckets and objects.
Note: If you need a programmatic way to manage permissions, use IAM policies or bucket policies instead of ACLs. However, you can use ACLs when your bucket policy exceeds the 20 KB maximum file size. Or, you can use ACLs to grant access for Amazon S3 server access logs or Amazon CloudFront logs.
Consider these best practices when you use ACLs to secure your resources:
- Review ACL permissions that allow Amazon S3 actions on a bucket or an object. For the list of ACL permissions and the actions that they allow, see What permissions can I grant?
- Be stringent about who gets Read and Write access to your buckets.
- Carefully consider your use case before granting Read access to the Everyone group because this allows anyone to access the bucket or object.
- Never allow Write access to the Everyone group. This setting allows anyone to add objects to your bucket, which you will then be billed for. This setting also allows anyone to delete objects in the bucket.
- Never allow Write access to the Any authenticated AWS user group. This group includes anyone with an active AWS account, not just IAM users in your account. To control access for IAM users on your account, use an IAM policy instead. For more information on how Amazon S3 evaluates IAM policies, see How Amazon S3 authorizes a request.
In addition to using policies, Block Public Access, and ACLs, you can also restrict access to specific actions in these ways:
- Turn on MFA delete. This requires a user to authenticate using a multi-factor authentication (MFA) device before deleting an object or disabling bucket versioning.
- Set up MFA-protected API access. This requires that users authenticate with an AWS MFA device before they call certain Amazon S3 API operations.
- If you temporarily share an S3 object with another user, create a presigned URL to grant time-limited access to the object. For more information, see Sharing objects using presigned URLs.
Monitor your S3 resources
Turn on logging and monitor your S3 resources in these ways:
- Configure AWS CloudTrail logs. By default, CloudTrail tracks only bucket-level actions. To track object-level actions (such as GetObject), turn on Amazon S3 data events.
- Turn on Amazon S3 server access logging. For more information on reviewing these logs, see Amazon S3 server access log format.
- Use AWS Config to monitor bucket ACLs and bucket policies for any violations that allow public read or write access. For more information, see s3-bucket-public-read-prohibited and s3-bucket-public-write-prohibited.
- Use AWS IAM Access Analyzer to help you review bucket or IAM policies that grant access to your S3 resources from another AWS account.
- Use Amazon Macie to automate the identification of sensitive data stored in your buckets, broad access to your buckets, and unencrypted buckets in your account.
- Use CloudTrail with other services, such as CloudWatch or AWS Lambda, to invoke specific processes when certain actions are taken on your S3 resources. For more information, see Log Amazon S3 object-level operations using CloudWatch Events.
- If you have a Business Support Plan or an Enterprise Support plan, you can use AWS Trusted Advisor's S3 bucket permissions check. This check notifies you about buckets with open access permissions.
Use encryption to protect your data
If your use case requires encryption during transmission, use HTTPS protocol. This encrypts data in transit to and from Amazon S3. All AWS SDKs and AWS tools use HTTPS by default.
Note: If you use third-party tools to interact with Amazon S3, then contact the developers to confirm if their tools also support the HTTPS protocol.
If your use case requires encryption for data at rest, use server-side encryption (SSE). The SSE options include SSE-S3, SSE-KMS, or SSE-C. You can specify the SSE parameters when you write objects to the bucket. You can also enable default encryption on your bucket with SSE-S3 or SSE-KMS.
If your use case requires client-side encryption, see Protecting data using client-side encryption.
Related information
Identity and access management in Amazon S3
Data protection in Amazon S3
How do I require users from other AWS accounts to use MFA to access my Amazon S3 buckets?
How can I see who's been accessing my Amazon S3 buckets and objects?