As a result, we must adhere to the AWS S3 security best practises outlined below.
1. Check for AWS S3 bucket policies and block the public access
- Assign AWS S3 bucket policies and Access Control Lists (ACLs) for authenticated IAM users.
AWS S3 Bucket Policy
- Block public access for AWS S3 bucket.
Block public access
- Use AWS trusted advisor service for inspecting AWS S3 implementation.
2. Principle of least privileges with AWS S3 security policies
Implementation of least privilege access is the basic requirement for data security in AWS S3.
- Using IAM user policies and least permissions for IAM entities.
- It uses Service Control Policies (SCPs).
3. Access restrictions with ACLs
- Network ACLs can be utilised to supplement AWS S3 security policies and implement additional access restrictions.
- We will be able to implement 99% of our access restrictions using bucket and user policies.
- There are some situations in which ACLs must be used.
4. Encryption of Data at Rest
- Server Side Encryption :
- Before saving the object in the bucket, SSE encrypts it.
- It decrypts it when we download the objects.
- SSE can achieved by using AWS-managed AWS S3 keys or our keys created in the AWS KMS.
- Client Side Encryption :
- It encrypts data at client-side and uploads this data in AWS s3 bucket.
- In this case, the client will manage the process of encryption and keys as well.
- Default Encryption :
- It provides default encryption behavior for an AWS S3 bucket.
- So that all new objects will encrypt before storing in the bucket.
- The encrypted objects are using server-side encryption with either Amazon AWS S3-managed keys (SSE-S3) or customer master keys (CMKs) stored in AWS KMS.
5. Encrypting Data at Transit
To enforce data encryption during transit, we must allow only encrypted connections over HTTPS (TLS) by adding aws:SecureTransport condition on AWS S3 bucket policies.
Example of Encrypting Data at Transit
6. Enable Versioning
Enabling versioning for s3 bucket protects our data from accidental deletion and unintended user actions.
- When we enable versioning, S3 keeps multiple versions of each object in the bucket.
- Whenever we upload an object with the same name, a new version of the object will be stored in the s3 bucket.
- Similarly, when we delete an object, S3 retains the copy but inserts a delete marker to the latest version of the object.
- S3 uses a version ID to keep track of these objects.
- We can easily recover our data from older versions of the object even though the latest version of the object is corrupt.
7. Enable MFA Deletion Policy
- Enabling Multi-Factor Authentication (MFA) policy will give a second layer of protection for S3 buckets.
- In order to enable MFA delete, we must enable versioning first and not vice-versa.
- When deleting an object in version controlled buckets, we must provide an authentication code generated by an MFA device.
8. Use AWS CloudTrail to monitor S3 access
AWS CloudTrail service uses:
- We can detect suspicious behavior or spot security incidents related to S3 buckets.
- For Monitoring and auditing of user activities related to s3 buckets.
- Create a specific trail to log and monitor our S3 bucket in a given region or globally.
- It contains the information of users, accounts, source IP, time etc. S3 bucket will store these trail logs.
Monitor logs using CloudTrail
9. Use AWS GuardDuty to automate S3 log analysis
Once we enable CloudTrail data events for S3 buckets and objects it can generate a very high volume of records.
- Whenever GuardDuty detects a threat based on these events, it generates a security finding.
- Based on these findings, we must take appropriate corrective actions to improve security in our S3 buckets and objects.
10. Setup Life cycle Policy
Setting up a lifecycle policy for s3 buckets secures our data as well as saves our money. By setting up the lifecycle policy, we can move the unwanted data to make it private and later delete it. This data cannot be accessed by the potential hackers and save our money by freeing the space as well. Also by enabling the Lifecycle policy, we can move the data from s3 bucket to AWS Glacier for saving money.
11. Use of VPC Endpoints for Amazon S3 access
With VPC endpoints, the data between the VPC and S3 is transferred within the Amazon network, helping protect our instances from internet traffic.
VPC Endpoints provides few additional security controls to help limit access to our s3 buckets such as,
- It requires that requests to our S3 buckets originate from a VPC using a VPC endpoint.
- This controls what buckets, submissions and users are allowed through a particular VPC endpoint.
12. Use of AWS Macie
Macie is the powerful service for data security and data privacy in the AWS cloud. Currently it supports only Amazon S3. Using this we can discover, monitor, and protect your sensitive data in Amazon S3.
13. Third-party AWS security tools
Other than AWS, there are some third party security tools available for securing our data. These can save our precious time and keep the data secure at the same time.
Some of the popular tools described as below:
- Security Monkey :
- Security Monkey tool is developed by Netflix.
- In addition to that it is used to monitor the AWS policy changes and getting alerts for any insecure configurations.
- It performs some audits on S3 buckets to ensure the best practices are in place.
- Cloud Mapper :
- Sonarai Dig :
- Sonrai Dig Security’s mission is to allow companies to Unearth, Prioritize, and Remove risks across every part of our cloud.
- It combines Cloud Security Posture Management (CSPM), Cloud Identity Security (CIEM), and Cloud data security in one platform.
- It can also help remediate our s3 implementation & enforce our controls and ongoing monitoring of our identity and data risks.
To learn more about this kind of blog, visit https://engineering.rently.com/quality-engineering/.
Senior DevSecOps Engineer
Rently Software Development Private Limited
Coimbatore – 641021