Amazon S3 or Simple Storage is an object storage service and is one of the most used services in AWS. With the simple web interfaces which S3 provides, it is much easier to use S3 as a remote storage location for our web applications. Therefore S3 might easily become the storage for some of the most critical data of our application which makes the security of your S3 buckets crucial. When it comes to security in AWS services, AWS follows a shared responsibility model which involves both AWS and the customer. While AWS takes the responsibility of “Security of the Cloud” the client will be responsible for “Security in the cloud” AWS is taking the responsibility of ensuring the security of all the infrastructure running underneath the AWS cloud which consists of all the hardware, software, networking and security of the facilities which run the cloud services. Customers will be responsible for security in the cloud-based on the services which they select to use. In some service, customers will have more responsibility and control when setting up and securing the service such as EC2 instances where clients have the responsibility of defining all of the access controls and many other configurations to ensure the security of it, while other services like Lambda will take care of most of its configurations and have the user worry less about all the security concerns of their compute instances. Handling security for S3 buckets can be discussed under 3 major topics.
Access controlBy default, S3 buckets are set as private and access to all objects are restricted for any external users. And AWS has provided many interesting options to make sure the owner has the control on deciding who has access to what. Follow least privilege access control modelA least privilege access control model means having an access control model which grants users only the permissions which are absolutely necessary. This can be implemented by starting with a role with no permissions at all and then gradually allowing permission to perform the required actions. Since IAM enables the capability of defining fine-grained access to the object level, IAM can be incorporated to implement the least privilege access control model for S3. S3 Access pointsAccess points are a feature introduced by AWS to enable access to shared data sets to different customers. Each access point provides a unique hostname and can be attached to different IAM policies to differentiate user access to the data in the bucket. Furthermore, any of these access points can be restricted to a VPC ensuring only clients’ private network can access the data. AWS suggests that access points are a good option for the following scenarios.
IAM roles for services accessing S3It is always best to use roles instead of using an IAM user when other AWS services have to access an S3 bucket. The least privilege access model can be applied here to ensure no service has any unnecessary access on the S3 buckets or its objects. Pre signed URLsPre signed URLs can be used to grant temporary access to a specific object or to allow a user to upload an object to an S3 bucket without having to grant permanent access to the S3 bucket. Block public accessAlways block public access to S3 buckets unless it is necessary to allow it. Data protectionOnce data is uploaded to the S3 bucket further actions need to be taken to ensure protection against data corruption, loss, malicious or accidental removal or modifications. S3 has provided several mechanisms to ensure data protection such as,
EncryptionMainly there are 2 types of encryption that can be enabled in S3.
Data at rest encryptionAmazon S3 provides 3 methods to provide data at rest encryption.
Data at transit encryptionS3 enables encrypting data in transit using SSL/TLS. And HTTPS over TLS can be used to protect data from sniffing or man in the middle type of attacks. Bucket policies can be set to make sure only encrypted connections using HTTPS over TLS are allowed. VersioningS3 versioning enables users to maintain separate versions of each object in the bucket. With this capability, it provides the capability to recover easily from accident deletions or data corruptions by restoring from a previous version. Object LockObject lock in Amazon S3 follows the write-once-read-many (WORM) model. This enables users to upload an object to the S3 bucket and prevent the object from being deleted for a specified time period or indefinitely. Object Lock provides 2 methods to manage this object protection.
Monitor and AuditOnce access control and data protection are set up properly it is important to set up proper monitoring to be enabled in order to make sure we are able to identify any issues. And Amazon S3 provides a range of services in order to set up proper monitoring and the following options will be discussed in this article.
Server access logsS3 server access logs enable users to log and store all requests coming into the S3 bucket in a separate bucket. Services like Amazon Athena can be used to analyze these data further. It is important to make sure we do not use the same bucket as the storage location for access logs as it will create an infinite loop of accessing the bucket and creating new logs. Cloud watch metricsCloud watch metrics can be enabled to ensure we have near real-time data on the S3 bucket which can be helpful to understand and act upon any issues. Fine-grained analytics can be obtained via cloud watch metrics as cloud watch metrics configuration can be set to monitor from object level. ConclusionSince Amazon S3 has become one of the most popular solutions for object storages, the security of S3 also has become crucial. As AWS ensures the security of the cloud as users we need to make sure we follow the best practices to ensure security in the cloud. Since implementing some of these best practices can be expensive it is important to keep in mind any data breaches can be much more expensive. Therefore it is important to follow best practices and to do our best to ensure the protection of data, knowledge of existing options is important when a trade-off needs to be done between security and budget. Reference[1]https://docs.aws.amazon.com/AmazonS3/latest/userguide/security.html [2] https://aws.amazon.com/s3/features/access-points/ [3] https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html [4]https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html [5] https://docs.aws.amazon.com/AmazonS3/latest/userguide/metrics-configurations.html More content at plainenglish.io |