S3 Security

• User-Based
  • IAM Policies – which API calls should be allowed for a specific user from IAM
• Resource-Based
  • Bucket Policies – bucket wide rules from the S3 console - allows cross account
  • Object Access Control List (ACL) – finer grain (can be disabled)
  • Bucket Access Control List (ACL) – less common (can be disabled)
• Note: an IAM principal can access an S3 object if
  • The user IAM permissions ALLOW it OR the resource policy ALLOWS it
  • AND there’s no explicit DENY
• Encryption: encrypt objects in Amazon S3 using encryption keys

S3 Bucket Policies

• Use S3 bucket for policy to:
  • Grant public access to the bucket
  • Force objects to be encrypted at upload
  • Grant access to another account (Cross Account)
• You can use Bucket Policy Generator Here to generate policies file.
• Example policy

{
  "Id": "Policy1683734119029",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1683734116725",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Principal": "*"
    }
  ]
}

• Principal: the account or user to apply to
• Resources: buckets and objects
• Effect: allow or deny
• Action: List of S3 APIs

Versioning

• You can version your files in Amazon S3 and it is enabled at bucket level
• Any file that is not versioned prior to enabling versioning will have version “null”
• Suspending versioning does not delete the previous versions

Replication

• Cross-Region Replication (CRR)