What is a S3 bucket and how does it work?
Amazon S3 is an object storage service in AWS Cloud that stores data as objects within buckets. An object is a file and any metadata that describes the file. A bucket is a container for objects.
To store your data in Amazon S3, you first create a bucket and specify a bucket name and AWS Region. Then, you upload your data to that bucket as objects in Amazon S3. Each object has a key (or key name), which is the unique identifier for the object within the bucket.
S3 provides features that you can configure to support your specific use case. For example, you can use S3 Versioning to keep multiple versions of an object in the same bucket, which allows you to restore objects that are accidentally deleted or overwritten.
Buckets and the objects in them are private and can be accessed only if you explicitly grant access permissions. You can use bucket policies, AWS Identity and Access Management (IAM) policies, access control lists (ACLs), and S3 Access Points to manage access.
Now let’s understand what are IAM policies and ACLs.
IAM policies define the permissions given to the users or roles to carry out certain operations in the cloud environment .So from a security point of view the root users should give fine-grained permissions to the IAM users and groups .
ACLs we can use ACLs to grant read and write permissions to authorized users for individual buckets and objects. Each bucket and object has an ACL attached to it as a sub resource. The ACL defines which AWS accounts or groups are granted access and the type of access. ACLs are an access control mechanism that predates IAM.
Types of data it can store:
Industries use Amazon S3 to store and protect any amount of data for a range of use cases, such as data lakes, websites, mobile applications(Personally Identifiable Information of users, audio and video files), backup and restore, archive, enterprise applications, IoT devices, and big data analytics. Amazon S3 provides management features so that you can optimize, organize, and configure access to your data to meet your specific business, organizational, and compliance requirements.
Recent update on S3 encryption- Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 will be automatically encrypted at no additional cost and with no impact on performance. Currently, the automatic encryption status for S3 bucket default encryption configuration and for new object uploads is available in AWS CloudTrail logs, S3 Inventory, and S3 Storage Lens. During the next few weeks, the automatic encryption status will also be rolled out to the Amazon S3 console and as an additional Amazon S3 API response header in the AWS Command Line Interface and AWS SDKs.
Best practices to secure the s3 buckets:
AWS follows a shared Responsibility model for securing the cloud environment which means both AWS and we as users are collectively responsible for securing our data stored in cloud.
AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely.
Our responsibility is determined by the AWS service that we use. We are also responsible for other factors including the sensitivity of your data, your organization’s requirements, and applicable laws and regulations. For Amazon S3, your responsibility includes the following areas:
- Disable access control lists (ACLs)- ACLs are disabled and the bucket owner automatically owns and has total control over every object or objects in the bucket. ACLs dont affect permissions to contents in the S3 bucket. The bucket uses policies to define access control so that the AWS account that uploads an object owns the object, has total control over it, and can grant other users access to it through ACLs.
- Ensure that your Amazon S3 buckets use the correct policies and are not publicly accessible-Unless and until you explicitly require anyone on the internet to be able to read or write to your S3 bucket, you should make sure that your S3 bucket is not public
- Implement least privilege access-When granting permissions, you decide who is getting what permissions to which Amazon S3 resources. You enable specific actions that you want to allow on those resources. Therefore you should grant only the permissions that are required to perform a task. Implementing least privilege access is fundamental in reducing security risk and the impact that could result from errors or malicious intent.
- Use IAM roles for applications and AWS services that require Amazon S3 access-For applications on Amazon EC2 or other AWS services to access Amazon S3 resources, they must include valid AWS credentials in their AWS API requests. You should not store AWS credentials directly in the application or Amazon EC2 instance. These are long-term credentials that are not automatically rotated and could have a significant business impact if they are compromised.
Instead, you should use an IAM role to manage temporary credentials for applications or services that need to access Amazon S3. When you use a role, you don’t have to distribute long-term credentials (such as a user name and password or access keys) to an Amazon EC2 instance or AWS service such as AWS Lambda. The role supplies temporary permissions that applications can use when they make calls to other AWS resources.
Consider encryption of data at rest
Server-Side Encryption – Request Amazon S3 to scramble your article prior to saving it on circles in its server farms and afterward decode it when you download the items. Server-side encryption can assist with diminishing gamble to your information by scrambling the information with a key that is put away in an unexpected system in comparison to the component that stores the actual information.
Amazon S3 provides these server-side encryption options:
- Server-side encryption with Amazon S3‐managed keys (SSE-S3).
- Server-side encryption with KMS key stored in AWS Key Management Service (SSE-KMS).
- Server-side encryption with customer-provided keys (SSE-C)
Client-Side Encryption – Encode information client-side and transfer the scrambled information to Amazon S3. For this situation, you deal with the encryption interaction, the encryption keys, and related apparatuses. Similarly as with server-side encryption, client-side encryption can assist with diminishing gamble by scrambling the information with a key that is put away in an unexpected system in comparison to the component that stores the actual information.
- Enforce encryption of data in transit-You can use HTTPS (TLS) to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. one should allow only encrypted connections over HTTPS (TLS) using the aws:SecureTransportcondition on Amazon S3 bucket policies.
- Consider S3 Object Lock-Using S3 Object Lock enables you to store objects using a “Write Once Read Many” (WORM) model. S3 Object Lock can help prevent accidental or inappropriate deletion of data. For example, you could use S3 Object Lock to help protect your AWS CloudTrail logs.
- Enable versioning-Versioning is a method for keeping various variations of an item in a similar container. You can utilize forming to save, recover, and reestablish each adaptation of each and every article put away in your Amazon S3 pail. With empowered can forming, you can undoubtedly recuperate from both accidental client activities and application disappointments.
- Consider Amazon S3 cross-region replication-In spite of the fact that Amazon S3 stores your information across different geologically assorted Accessibility Zones as a matter of course, consistence prerequisites could direct that we store information at much more noteworthy areas. Cross-region replication (CRR) allows us to replicate data between distant AWS Regions to help satisfy these requirements. CRR enables asynchronous automatic, copying of objects across buckets in different AWS Regions.
- Consider VPC endpoints for Amazon S3 access-A VPC endpoint for Amazon S3 is an logical entity within a virtual private cloud (VPC) that allows connectivity only to Amazon S3 one can use Amazon S3 bucket policies to control admittance to buckets from explicit VPC endpoints, or specific VPCs. A VPC endpoint can help us prevent traffic from potentially exploring the open internet and being subject to open internet.
- Use managed AWS services to receive actionable findings in your AWS accounts like AWS Security Hub, ManagementAccess Analyzer, Amazon GuardDuty, AWS Identity and Access