A Complete Guide to Securing and Protecting AWS S3 Buckets

Click here to read a summary of this article!

A Quick Guide to Securing AWS S3 Buckets

Amazon Web Services (AWS) is one of the leading cloud hosting service providers in the world. The Simple Storage Service (S3) is one of its most popular offerings. However, data stored in S3 buckets can be prone to hacks and breaches if you do not protect it.

A few helpful tips on securing your S3 buckets are:

1. Properly configure all access policies to define who can view and edit objects stored in your S3 buckets. This helps avoid breaches that occur due to access being granted by mistake. Amazon offers various ways to define access, such as bucket policies, access points, and access control lists.
2. Encrypt the data that’s uploaded to AWS S3 buckets. Even if a data breach occurs, your data will not be completely exposed if it’s encrypted. You can handle the encryption process yourself or let Amazon handle it, depending on your comfort level with managing encryption keys.
3. Regularly audit access logs. These logs contain details of access requests from different users. You can identify and restrict any unauthorized requests to prevent a breach.

Check out the rest of the article for more information on how to secure your AWS S3 buckets.

Amazon Web Services (AWS) is the leading cloud service provider globally. It offers clients the same scalable infrastructure that Amazon uses to run its global e-commerce operations. AWS Simple Storage Service (S3) is an object storage service that’s part of the AWS suite. Users can store files, music, videos, and other data as objects using AWS S3.

Despite their popularity, data breaches are not uncommon with AWS S3 buckets. Indeed, some notable data breaches, such as the US voter records leak, which compromised the data of 198 million Americans, are attributable to misconfigured S3 access policies. The SEGA vulnerability that was recently discovered and patched, was based on similar S3 access issues.

AWS users must know how to secure and protect their S3 buckets. This article provides some simple but effective tips that AWS users can implement to ensure that objects stored by them in S3 buckets remain safe.

How to Secure Your AWS S3 Buckets

We’ve divided the steps you can take to secure your S3 buckets into two sections. The first section outlines ways in which you can prevent a data breach by configuring access to the buckets. In the second section, we look at measures that help mitigate the impact of a potential data breach.

Let’s understand the preventive steps you can take to secure your AWS S3 buckets.

Preventing data loss by managing access

Most AWS S3 data breaches are caused due to misconfigured policies that unintentionally grant public access. Therefore, properly configuring access policies is critical in preventing data branches.

The level of access that others have to your S3 buckets will depend on what you’re using them for. Some use them to share information and data across large teams while others use them to store their personal information.

While the former requires all team members to have some form of access to the bucket, the latter bucket should not allow public access at all. Luckily, AWS can be used to create granular access controls in the following ways:

1. Blocking public access

If you’re using S3 buckets primarily to store personal data or backup files on your devices, then it’s best to deny public access by default. This means that no one but you can access and edit the files. AWS S3 Block Public Access Settings allows you to block all public access to objects stored in your buckets.

Using “Block all public access” overrides all other access permissions, such as Access Controls Lists (ACLs) and Access Points. If you do want to grant some form of access to others, you can choose between the four other options provided below.

Unless you’ve changed your global settings, all new buckets should block all public access by default.

2. Using S3 Bucket Policies to control bucket assess

Consider using S3 Bucket Policies if you’d like others to have access to your buckets, but would like to control who can edit which objects and in what manner. These apply to all objects in the bucket and can be configured to restrict access in many different ways.

For example, a bucket policy can be configured to allow access only from certain IP addresses:

You can also use bucket policies to grant access if certain other specified conditions are met. For instance, you can reduce the chances of man-in-the-middle attacks by allowing access solely from HTTPS domains.

3. Managing roles using Identity and Access Management

Both S3 bucket policies and Identity and Access Management (IAM) are similar in that they both control access to your S3 buckets. However, IAM defines what permitted users can and cannot do in the Amazon Web Service Environment.

So, for instance, you can grant only READ access to some users but for others, you can grant READ/WRITE access. Bucket policies, on the other hand, only specify what actions are permissible for a particular bucket.

In other words, IAM deals with more macro permissions while bucket policies set more granular and fine-grained access rules. Using both IAM and bucket policies simultaneously is the optimal strategy.

However, there are a few circumstances for which you’d specifically want to use IAM:

• You deal with AWS services other than S3 and want to set permissions for all services at one go
• You have numerous S3 buckets with different permission requirements. It’s often easier to set a detailed IAM policy as opposed to setting up detailed bucket policies for each bucket.

While setting up your IAM policies, it’s advisable to follow the rule of least privilege. This means that you should start out by granting the minimum level of access and increasing permissions as required.

4. Defining object access using Access Controls Lists (ACLs)

Before discussing how ACLs can be used for S3 buckets, it’s important to note that Amazon recommends sticking to IAM and bucket policies for controlling access. This is perhaps because misconfigured ACLs have resulted in some of the more prominent S3 breaches.

With that disclaimer out of the way, let’s understand how ACLs are different from bucket policies. As we’ve mentioned previously, S3 bucket policies apply to all objects within a single bucket. Resultantly, it’s impossible to set differing permissions for different objects in an S3 bucket using bucket policies.

This is where ACLs come in handy. You can use one to set fine-grained permissions for each object within a bucket. So, while the rest of the bucket could be private, a specific object within it can be made public and vice versa. This is useful in situations where you may want certain objects within a bucket to have different access from other objects.

5. Using S3 Access Points

Amazon announced a new and efficient way of managing access to S3 buckets, known as Access Points. This new feature allows users to create unique access control policies for each access point in a bucket. As a result, managing access permissions across large S3 buckets, such as data lakes, is much easier with Access Points.

Instead of configuring a single lengthy policy for the entire bucket, users can control permissions using specific access points. This makes scaling permissions across large datasets a seamless process.

Access points can be used to grant access for an individual or a group and can be specific to a particular application or group of applications.

Users can use access points to ensure that all access to S3 resources happens only through a Virtual Private Cloud (VPC).

Tips to Mitigate the Impact of a Breach

At the end of the day, it’s a question of when and not if a data breach happens. Even if you’ve configured your access policies perfectly,  a malicious element on the web might be able to breach your S3 buckets. In such a situation, it’s important to minimize the potential harm of a data breach. Some useful ways of doing this are to encrypt the stored data and keep audit logs.

Encrypt data stored on S3 buckets

Encrypting the data you store on an S3 bucket helps ensure its security and sanctity in a situation where a hacker is able to gain access to your AWS dashboard. Resultantly, it prevents your data from being completely exposed in case a breach does happen.

You can encrypt your data in transit (during transmission to the AWS servers) and at rest (while stored in the AWS servers). For encryption at rest, you can choose between the following options:

• Client-Side Encryption – the user encrypts the data themselves before uploading it to the AWS server. The data is encrypted before it leaves your device. Hence, using client-side encryption ensures that data is encrypted during transit as well.
• Server-Side Encryption – AWS manages the encryption process. It encrypts user-uploaded data using standards such as AES-256 and decrypts it when needed. As the following image depicts, AWS offers two kinds of server-side encryption: SSE-S3, in which S3 creates and manages the keys, and SSE-KWS, in which the AWS KMS protects the encryption keys.

It’s important to enforce encryption during transit when using SSE. This is done by defining bucket policies that grant access only to requests using the HTTPS protocol, as discussed above.

Audit Logs

If a breach does happen, it’s important to identify and detect where it came from. This is where logging is useful. AWS lets you capture data on the different requests made to a particular bucket or object. Resultantly, potentially malicious access requests can be identified and blocked. Access requests can be logged in the following ways:

1. Sever Logs – these logs contain details about the request, such as the requester and target bucket. Server logs are free to create. However, they are stored in a different S3 bucket, which will cost you money. The following images show how server logging can be configured.
2. 
3. AWS CloudTrail – CloudTrail is a useful tool that allows for access tracking at the object level. It allows detailed activity, such as the origin of the request, to be viewed for each object in the bucket. That said, it is a paid service and will cost you in addition to the price of the S3 subscription.

Final Thoughts on Securing AWS S3 Buckets

If you use AWS to store important data and files, then securing your S3 buckets should be a priority. Start by setting up access management policies and then put in place the mitigating mechanisms described above.

You can add an additional layer of security to your AWS account by using multi-factor authentication (MFA). MFA usually requires users to authenticate themselves twice, once using their password and another time through a one-time password or authenticator app.

Securing AWS S3 buckets doesn’t take a lot of effort but can be hugely beneficial in the long term. So why not do it now?