How to secure AWS S3 bucket

If you are using S3 bucket to store any files or planning to use S3 as storage then these are the ways to make your AWS S3 service secure for your application.

1. Ensure to give access to S3 bucket authentication via IAM roles with limited access level

As above you can see only limited access level of List, Read and Write is given.

2. In bucket policy provide the least required action/deny policy for particular resource.

Bucket -> Permissions Tab -> Bucket Policy

3. Block all public access unless you really required.

Bucket -> Permissions Tab -> Block public access (bucket settings)

4. Enable Server Side encryption for files placed in the bucket so that any unauthorized access to the files will not be able to read it. You can use either AWS managed key or your custom key for encryption. Encryption key would be rotated every 1 year. If you use custom KMS key then then you need to encrypt and decrypt file while placing/reading those files.

Bucket -> Properties Tab -> Default encryption

5. Configure AWS CloudTrail data events. This will allow you to track the malicious activity on the S3 bucket through logs.

Bucket -> Properties Tab -> AWS CloudTrail data events

6. S3 bucket policies should only allow requests that use HTTPS (s3-bucket-ssl-requests-only)

Leave a Reply

Your email address will not be published. Required fields are marked *