Best Practices for Securing Amazon S3 Buckets

Why does it matter?

As of March 2021, Amazon revealed over 100 trillion objects in Amazon S3 storage. This number has assuredly grown at an exponential rate and will continue to do so. Back in October 2019, Gartner predicted:

“Through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data.”

If you’ve read the news in the past few years, they seem not far off. Data breaches are, unfortunately, all too common. The sad thing is that most of the time, it is preventable. Keeping your Amazon S3 buckets secure is one way to ensure you don’t have a breach of sensitive data.

In this blog post, we will discuss some ways you can secure your Amazon S3 buckets in a secure way following best practices. I will share practices you should follow and others you should not.

Dos of Securing Amazon S3:

• Do back up your S3 data: Consistently back up your data to protect against accidental loss, corruption, or malicious attacks. Implement a robust recovery strategy to restore data to a known good state when needed, ensuring business continuity.
• Do use AWS S3 Inventory for Compliance: Utilize AWS S3 Inventory regularly to audit your objects’ encryption and replication status. This aids in maintaining compliance with regulatory standards by providing detailed reports on your S3 objects’ configurations.
• Do implement resource tagging: Apply tags to your S3 resources using Amazon’s Tag Editor for improved organization and management. Tags help categorize resources for cost allocation, security, and operational efficiency, particularly during audits.
• Do monitor critical metrics with CloudWatch: Leverage AWS CloudWatch to monitor essential metrics like PutRequests, GetRequests, 4xxErrors, and DeleteRequests. This enables you to maintain the security, availability, and performance of your S3 resources by identifying anomalies early.
• Do enable server access logging and AWS CloudTrail: Activate server access logging for detailed request logs and use AWS CloudTrail for action-level insights. These tools are crucial for auditing, investigating security incidents, and ensuring accountability.
• Do leverage AWS Config for configuration management: Employ AWS Config to evaluate and audit your AWS resource configurations. It helps ensure that your S3 buckets and other AWS resources comply with your organization’s security policies and best practices.
• Do use IAM roles for S3 access: Allocate access through IAM roles to manage permissions effectively. This approach adheres to the principle of least privilege, minimizing potential security risks by ensuring entities have only the permissions they need.
• Do encrypt your data: Ensure data is encrypted in transit and at rest. With S3’s encryption options, including DSSE-KMS for dual-layer encryption, you enhance data security against unauthorized access and comply with privacy standards.
• Do enforce encryption of data in transit: Add policies to your S3 buckets to reject unencrypted transfers, ensuring data is transmitted securely over the network, safeguarding it from interception.
• Do consider S3 Object Lock, Versioning, and MFA Delete: Protect your data from being deleted or altered unintentionally. These features add layers of security for data retention and recovery, crucial for regulatory compliance and data integrity.
• Do consider VPC endpoints for Amazon S3 access: Utilize VPC endpoints to securely connect to S3 resources without routing traffic over the public internet, enhancing the security of data transfers within AWS.

Don’ts of Securing Amazon S3:

• Don’t leave buckets publicly accessible: Unless absolutely necessary, ensure your buckets are not publicly accessible to prevent unauthorized access and data breaches. Use the S3 Block Public Access feature to enforce this policy across your S3 environment.

• Don’t use overly permissive policies: Avoid using wildcard permissions in bucket policies and IAM roles that grant more access than necessary. Regularly review policies to ensure they adhere to the principle of least privilege.

• Don’t use access control lists (ACLs) – If you don’t have an exact need to use ACLs, then don’t use them. This will allow you to have simplified auditing and permissions management. You should use IAM policies, S3 bucket policies, and SCPs.

Conclusion

The amount of data currently stored in Amazon S3 is astounding. This data continues to grow at a record rate and will continue to do so. Data breaches in the last few years have also been on the rise. Many of these data breaches directly correlate to improperly securing your resources. If done properly, you can have a secure and safe place to store your data in Amazon S3; however, it does take diligence and a strong will to ensure repeatable, secure deployments. Consider these best practices for your Amazon S3 deployments.