๐Ÿ” Amazon S3 - Security Overview

Amazon S3 offersย fine-grained access control, strong encryption, and audit logging to ensure your data is secure at rest and in transit.

๐Ÿ”‘ Object Encryption in S3

S3 supports server-side and client-side encryption to protect data at rest.

Types of Server-Side Encryption (SSE):

Type Description
SSE-S3 Amazon manages the encryption keys
SSE-KMS AWS Key Management Service (KMS) manages keys with audit trail
SSE-C You manage and provide your own encryption keys

๐Ÿ” SSE-S3 (Server-Side Encryption with Amazon-Managed Keys)

  • S3 automatically encrypts each object with a unique key
  • Keys are managed entirely by AWS
  • Uses AES-256 encryption

๐Ÿ”ง No need for extra configurationโ€”can be enabled by default for a bucket.

๐Ÿ” SSE-KMS (Server-Side Encryption with AWS KMS)

  • Uses AWS Key Management Service for encryption
  • You can create and manage your own Customer Master Keys (CMKs)
  • Supports auditing and fine-grained access control via IAM policies

๐Ÿ” Suitable for regulated industries or compliance requirements.

๐Ÿ” SSE-C (Server-Side Encryption with Customer-Provided Keys)

  • You provide the encryption key with each PUT/GET request
  • AWS doesnโ€™t store the key; it only uses it to encrypt/decrypt during the request

โš ๏ธ Youโ€™re fully responsible for key management and protection.

๐Ÿ›ก๏ธ Default Encryption vs Bucket Policies

Feature Behavior
Default Encryption Automatically encrypts all objects using specified SSE (e.g., SSE-S3, SSE-KMS)
Bucket Policies Control access to buckets/objects using JSON-based access rules

ย 

๐Ÿ“Œ Useย both together for maximum control: default encryption + policies to enforce who can upload/download.

๐ŸŒ What is CORS? (Cross-Origin Resource Sharing)

CORS allows web applications from one domain to access resources in another domain, such as files in S3.

๐Ÿง  Example: Allow your frontend hosted at example.com to load images from cdn.example-assets.com.

CORS in S3 is defined via XML in bucket settings:

<CORSRule>
ย  <AllowedOrigin>http://example.com</AllowedOrigin>
ย  <AllowedMethod>GET</AllowedMethod>
</CORSRule>

๐Ÿงฉ Amazon S3 โ€“ MFA Delete

  • Requires multi-factor authentication (MFA) to delete:
    • Versioned objects
    • Bucket lifecycle configuration

โœ… Protects against accidental or malicious deletion

๐Ÿ” Must be enabled via CLI or SDK, not via Console.

๐Ÿ“„ S3 Access Logs

Logs every request made to your S3 bucket:

  • Requester IP
  • Action (PUT, GET, DELETE)
  • Timestamp
  • Response code

๐Ÿ“Š Stored in another S3 bucket, useful for:

  • Auditing
  • Billing analysis
  • Security review

๐Ÿ”— Amazon S3 โ€“ Pre-Signed URLs

Generates temporary URLs that grant time-limited access to private S3 objects.

๐Ÿง  Example Use Case:

  • Allow users to download a file for 1 hour only

๐Ÿ› ๏ธ Generate via SDK:

s3.generatePresignedUrl("my-bucket", "file.txt", expirationTime);

๐ŸงŠ S3 Glacier Vault Lock

Used with Glacier to enforce compliance via Write Once Read Many (WORM) model.

  • Prevents modification or deletion of archives
  • Once locked, canโ€™t be changed even by the root user

โœ… Ideal for financial, legal, and healthcare data compliance.

๐Ÿงท S3 Object Lock

Protects objects from deletion for a specified period (WORM)

  • Requires Versioning to be enabled
  • Two modes:
    • Governance mode: Admins can override
    • Compliance mode: No one can deleteโ€”even AWS support

โœ… Common for regulatory compliance (SEC, FINRA, HIPAA)

๐ŸŽฏ S3 โ€“ Access Points

  • Create named network endpoints to access a bucket
  • Attach IAM and VPC-specific access policies
  • Allows multiple apps or teams to safely share a bucket

๐Ÿง  Best for:

  • Shared data lakes
  • Multi-tenant S3 access in large orgs

๐Ÿ”„ S3 Object Lambda

Enables on-the-fly transformation of objects as they are retrieved from S3.

๐ŸŽฏ Use Cases:

  • Masking PII from files
  • Resizing images
  • Filtering large datasets (e.g., JSON, CSV)

๐Ÿ› ๏ธ Backed by Lambda functions that intercept S3 GET requests.

โœ… Summary Table

Feature Description
SSE-S3 Basic encryption with Amazon-managed keys
SSE-KMS Encryption using AWS KMS-managed CMKs
SSE-C Bring your own encryption keys
Default Encryption Auto-encrypt all uploads with default method
CORS Cross-domain access to S3 from browsers
MFA Delete Prevent deletion without MFA
Access Logs Log all access and operations on the bucket
Pre-Signed URLs Temporary access to private objects
Glacier Vault Lock Enforce immutability and compliance in Glacier
Object Lock WORM protection at the object level
Access Points Custom access policies per app or team
Object Lambda Dynamic content transformation via Lambda
Back to blog

Leave a comment