This blog shows methods to secure your AWS s3 buckets. Properly configuring the permissions and everything else.

  • Use Interface VPC endpoints (AWS private link) to access bucket objects from services in the VPC (such as applications running on EC2). The traffic will stay within AWS private network. Create a policy condition with Interface endpoints such that traffic from particular VPC Id only is allowed.
  • For critical buckets, enable versioning and object replication to a different AWS account, in a separate AWS region to which no one has access except the account owner.
  • Have a bucket policy in place to ensure object deletion is permitted with MFA only.
  • Separate read, write and delete access to buckets. If users or applications need write access, don’t grant read and delete access. Use S3 life cycle rules to delete objects based on schedule, rather than granting users with IAM policies having delete access.
  • In bucket resource policies with ‘allow’ rules, don’t use wildcard (‘*’) in principal, action or resource.
  • Use conditions in the policy to further restrict access. For example, IpAddress: { aws:SourceIP:”<Your company IP range>”}
  • For critical objects in a bucket, use S3 Object Locks. When enabled, the specific version cannot be deleted or modified for the set time period.
  • Configure the buckets so that you have ownership of all objects in the bucket. The bucket policies (‘allow’ permissions) apply only to the objects that are owned by bucket owner.
  • Enable bucket ‘Block all public access’ setting. Try not to use bucket ACL permissions. You should be able to manage any kind of access permissions using IAM and S3 resource policies.
  • Add bucket policies to prevent uploading any objects, that grant public access.
  • If using AWS Organizations, use Service Control Policies (SCP) to deny disabling ‘Block all public access’ setting.
  • Add tags to critical buckets (e.g., ‘security-critical’ with value true). You can use ‘AWS Resource Groups’ tag editor to list all buckets (and other AWS services) with this tag. You can then perform any audit/security actions on these tagged resources.
  • Use IAM Access Analyser for S3 (available on the S3 console page) to make sure bucket access policies provide your intended access only.
  • Use pre-signed URLs for uploading or sharing objects in S3 bucket, without changing the policies. These URLs grant time-limited access only. For example, make them valid for 5 or 10 minutes.
  • Turn on server access logs to know about the requests made to the bucket objects.
  • Turn on CloudTrail to record actions performed on S3 by your users. This would be helpful in auditing.