FAQs for Amazon S3 Security
Secure Configurations for S3
Too many data breaches originate from S3 buckets that aren’t properly configured. How can you prevent leaky S3 buckets at your organization? Ask yourself these three questions regarding configurations:
- When does an S3 bucket need to be public? One of the foundational security elements of S3 is to ensure S3 buckets are not publicly available, unless you explicitly set them as public. It’s such an established best practice that AWS actually makes it pretty difficult for S3 buckets and their objects to become public. S3 buckets are automatically limited by AWS unless you turn it off.
- What internal resources need access to the buckets? Best practice is to allow only those that need access for their job duties and to deny all others. You may have IAM policies that allow access to S3, so if the bucket is private, you need a policy that addresses this and denies permission.
- Do users need to always have access to any object? If not, then consider a pre-signed URL to assign access for a limited amount of time.
Read more in the AWS documentation on security best practices for Amazon S3.
S3 is a prominent service available from AWS. When you're using it, you'll want to ask yourself three security-related questions. First, do any of your buckets need to be public? AWS by default makes all buckets private. If you need to change this, you'll have to do it intentionally. Second, does any user need access to the contents of the bucket? If users do, keep in mind that IAM policies can contradict bucket policies. So, you want to make sure that those two align. And third, do the users need continual access? If not, consider a pre-signed URL to give them limited access so that you don't mistakenly create a bucket policy and forget to remove it.