Amazon Web Services Simple Storage Service (S3) Security
In the current digital world, cloud computing is the go-to way for most tech companies that handle data. Cloud computing is also the preferred way for the companies because of their steadily growing data and analytics that are performed based on these data sets. AWS provides many securities features to secure the data on cloud storage.
Let’s go through some of the key S3 security features:
- AWS S3 security is a shared responsibility between AWS and the customer
- As a managed service, S3 is protected by the AWS global network security procedures
- AWS handles basic security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery
- Security and compliance of S3 is assessed by third-party auditors as part of multiple AWS compliance programs including SOC, PCI DSS, HIPAA, etc.
- AWS S3 provides several other features to handle security, which are customers’ responsibility
Also read: Amazon Web Services Simple Storage Service (S3) Features
Also read: Amazon Web Services Simple Storage Service (S3) Operations
S3 Data Protection
- S3 provides S3 data protection using highly durable storage infrastructure designed for mission-critical and primary data storage
- Objects are redundantly stored on multiple devices across multiple facilities in an S3 region
- S3 PUT and PUT object copy operations synchronously store the data across multiple facilities before returning SUCCESS
- Once the objects are stored, S3 maintains its durability by quickly detecting and repairing any lost redundancy
- S3 also regularly verifies the integrity of data stored using checksums. If S3 detects data corruption, it is repaired using redundant data
- In addition, S3 calculates checksums on all network traffic to detect corruption of data packets when storing or retrieving data
- Data protection against accidental overwrites and deletions can be added by enabling versioning to preserve, retrieve, and restore every version of the object stored
- S3 also provides the ability to protect data in transit (as it travels to and from S3) and at rest (while it is stored in S3)
S3 Encryption
- AWS S3 Encryption supports both data at rest and data in transit encryption
- Data in-transit
- S3 allows protection of data in transit by enabling communication via SSL or using client-side encryption
- Data at rest
- Server-Side Encryption
- S3 encrypts the object before saving it on disks in its data centers and decrypt it when the objects are downloaded
- Client-Side Encryption
- Data is encrypted at the client-side and uploaded to S3
- The encryption process, the encryption keys, and related tools are managed by the user
- Server-Side Encryption
- Data at rest
S3 Permissions
- By default, all S3 buckets, objects, and related sub resources are private
- Only the resource owner, the AWS account (not the user) that creates the resource, can access the resource
- Resource owner can be:
- AWS account that creates the bucket or object owns those resources
- If an IAM user creates the bucket or object, the AWS account of the IAM user owns the resource
- If the bucket owner grants cross-account permissions to other AWS account users to upload objects to the buckets, the objects are owned by the AWS account of the user who uploaded the object and not the bucket owner except for the following conditions
- Bucket owner can deny access to the object, as it is still the bucket owner who pays for the object
- Bucket owner can delete or apply archival rules to the object and perform restoration
- User is the AWS account or the IAM user who accesses the resource
- Bucket owner is the AWS account that created a bucket
- Object owner is the AWS account that uploads the object to a bucket, not owned by the account
- S3 permissions are classified into
- Resource based policies and user policies
S3 Object Lock
- S3 Object Lock helps to store objects using a write-once-read-many (WORM) model
- S3 Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely
- S3 Object Lock can help meet regulatory requirements that require WORM storage or add an extra layer of protection against object changes and deletion
- Object Lock for new buckets can be enabled only for new buckets. For an existing bucket, contact AWS Support
- Enabling Object Lock automatically enables versioning for the bucket
- Once Object Lock is enabled, you can’t disable Object Lock or suspend versioning for the bucket
- S3 Object Lock provides two retention modes that apply different levels of protection to the objects
- Governance mode
- Users can’t overwrite or delete an object version or alter its lock settings unless they have special permissions
- Objects against can be protected from being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary
- Can be used to test retention-period settings before creating a compliance-mode retention period
- Compliance mode
- A protected object version can’t be overwritten or deleted by any user, including the root user in your AWS account
- When an object is locked in compliance mode, its retention mode can’t be changed, and its retention period can’t be shortened
- Compliance mode helps ensure that an object version can’t be overwritten or deleted for the duration of the retention period
- Governance mode
S3 VPC Gateway Endpoint
- A VPC endpoint enables connections between a VPC and supported services, without requiring that you use an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection
- VPC is not exposed to the public internet
- A Gateway Endpoint is a gateway that is a target for a route in your route table used for traffic destined to either S3
Security Confidence with AWS S3
With the discussion of above S3 security features, we get to know that S3 provides user with control to protect the data, encrypt the data and provide permissions to resources. S3 provides ample security features for the user to protect the resources that has been created in the S3 buckets.
Apexon offers comprehensive cloud consulting and engineering capabilities to support customers’ digital initiatives including cloud strategy, migration, service discovery, and public/private cloud optimization. Our partnerships with AWS, Azure and GCP also equip us to unearth the full potential of these platforms for our clients. If you’re interested in learning more, check out Apexon’s Cloud Native Platform Engineering services or get in touch directly using the form below.