🔐 Amazon S3 - Security Overview

Amazon S3 offers fine-grained access control, strong encryption, and audit logging to ensure your data is secure at rest and in transit.

🔑 Object Encryption in S3

S3 supports server-side and client-side encryption to protect data at rest.

Types of Server-Side Encryption (SSE):

Type Description
SSE-S3 Amazon manages the encryption keys
SSE-KMS AWS Key Management Service (KMS) manages keys with audit trail
SSE-C You manage and provide your own encryption keys

🔐 SSE-S3 (Server-Side Encryption with Amazon-Managed Keys)

  • S3 automatically encrypts each object with a unique key
  • Keys are managed entirely by AWS
  • Uses AES-256 encryption

🔧 No need for extra configuration—can be enabled by default for a bucket.

🔐 SSE-KMS (Server-Side Encryption with AWS KMS)

  • Uses AWS Key Management Service for encryption
  • You can create and manage your own Customer Master Keys (CMKs)
  • Supports auditing and fine-grained access control via IAM policies

🔐 Suitable for regulated industries or compliance requirements.

🔐 SSE-C (Server-Side Encryption with Customer-Provided Keys)

  • You provide the encryption key with each PUT/GET request
  • AWS doesn’t store the key; it only uses it to encrypt/decrypt during the request

⚠️ You’re fully responsible for key management and protection.

🛡️ Default Encryption vs Bucket Policies

Feature Behavior
Default Encryption Automatically encrypts all objects using specified SSE (e.g., SSE-S3, SSE-KMS)
Bucket Policies Control access to buckets/objects using JSON-based access rules

 

📌 Use both together for maximum control: default encryption + policies to enforce who can upload/download.

🌐 What is CORS? (Cross-Origin Resource Sharing)

CORS allows web applications from one domain to access resources in another domain, such as files in S3.

🧠 Example: Allow your frontend hosted at example.com to load images from cdn.example-assets.com.

CORS in S3 is defined via XML in bucket settings:

<CORSRule>
  <AllowedOrigin>http://example.com</AllowedOrigin>
  <AllowedMethod>GET</AllowedMethod>
</CORSRule>

🧩 Amazon S3 – MFA Delete

  • Requires multi-factor authentication (MFA) to delete:
    • Versioned objects
    • Bucket lifecycle configuration

✅ Protects against accidental or malicious deletion

🔐 Must be enabled via CLI or SDK, not via Console.

📄 S3 Access Logs

Logs every request made to your S3 bucket:

  • Requester IP
  • Action (PUT, GET, DELETE)
  • Timestamp
  • Response code

📊 Stored in another S3 bucket, useful for:

  • Auditing
  • Billing analysis
  • Security review

🔗 Amazon S3 – Pre-Signed URLs

Generates temporary URLs that grant time-limited access to private S3 objects.

🧠 Example Use Case:

  • Allow users to download a file for 1 hour only

🛠️ Generate via SDK:

s3.generatePresignedUrl("my-bucket", "file.txt", expirationTime);

🧊 S3 Glacier Vault Lock

Used with Glacier to enforce compliance via Write Once Read Many (WORM) model.

  • Prevents modification or deletion of archives
  • Once locked, can’t be changed even by the root user

✅ Ideal for financial, legal, and healthcare data compliance.

🧷 S3 Object Lock

Protects objects from deletion for a specified period (WORM)

  • Requires Versioning to be enabled
  • Two modes:
    • Governance mode: Admins can override
    • Compliance mode: No one can delete—even AWS support

✅ Common for regulatory compliance (SEC, FINRA, HIPAA)

🎯 S3 – Access Points

  • Create named network endpoints to access a bucket
  • Attach IAM and VPC-specific access policies
  • Allows multiple apps or teams to safely share a bucket

🧠 Best for:

  • Shared data lakes
  • Multi-tenant S3 access in large orgs

🔄 S3 Object Lambda

Enables on-the-fly transformation of objects as they are retrieved from S3.

🎯 Use Cases:

  • Masking PII from files
  • Resizing images
  • Filtering large datasets (e.g., JSON, CSV)

🛠️ Backed by Lambda functions that intercept S3 GET requests.

✅ Summary Table

Feature Description
SSE-S3 Basic encryption with Amazon-managed keys
SSE-KMS Encryption using AWS KMS-managed CMKs
SSE-C Bring your own encryption keys
Default Encryption Auto-encrypt all uploads with default method
CORS Cross-domain access to S3 from browsers
MFA Delete Prevent deletion without MFA
Access Logs Log all access and operations on the bucket
Pre-Signed URLs Temporary access to private objects
Glacier Vault Lock Enforce immutability and compliance in Glacier
Object Lock WORM protection at the object level
Access Points Custom access policies per app or team
Object Lambda Dynamic content transformation via Lambda
Back to blog

Leave a comment