- Newest
- Most votes
- Most comments
Here are a few best practices for creating a tight S3 bucket policy to restrict putting logs to only the source account:
-
Use the aws:SourceAccount and aws:SourceArn global condition context keys to restrict access to only your account. This is better than using s3:x-amz-acl conditions.
-
Lock down the permissions to only allow PutObject actions, not other S3 actions like deleting objects.
-
Use Deny statements with NotPrincipal after Allow to explicitly deny access to other accounts.
-
Use resource policies not bucket ACLs to control access. Bucket policies allow more fine-grained control.
-
Use IAM roles for EC2 instances or Lambda functions that need to put logs rather than making the bucket public. Grant permissions to the role, not the bucket.
-
Rotate credentials regularly if applications need direct access. Don't hardcode AWS keys in apps.
-
Enable MFA delete to prevent accidental bucket deletion.
So in summary, the first example using aws:SourceAccount and aws:SourceArn is better than the second example. The second allows anyone with full control ACL to write, which is too broad. Restricting by source account and ARN is more secure.
Relevant content
- asked 7 months ago
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 16 days ago