This is the multi-page printable view of this section. Click here to print.
Appendices
1 - Sample Configuration
CSV Format - No Header
Dataset
Patricia,Young,Patricia.Young@liu.info,8/25/1975,343494236548351
Ronald,Hess,Ronald.Hess@cobb.org,3/22/1977,5289549212515680
Anna,Rose,Anna.Rose@robinson.net,8/3/1983,4387393325002340
Maureen,Morgan,Maureen.Morgan@whitehead.com,10/23/1975,6011769162504860
Ryan,Lee,Ryan.Lee@summers-richards.com,4/6/1975,373509629162404
Mapping.json - Header Specified In Input Spec Section
{
"input": {
"format": "csv",
"spec": {
"names": ["first_name","last_name","email","credit_card","birthdate"]
}
},
"columns":{
"first_name":{
"operation":"protect",
"data_element":"deName"
},
"last_name":{
"operation":"protect",
"data_element":"deName"
},
"email":{
"operation":"protect",
"data_element":"deEmail"
},
"credit_card": {
"operation":"protect",
"data_element":"deCCN"
},
"birthdate": {
"operation":"protect",
"data_element":"deDOB"
}
}
}
CSV Format - Pipe Delimiter
Dataset
POLICY_NUM|ACTION_TAKEN_DATE|ACTION_TAKEN_TIME|PERSON_DOB|ADDR_LINE_1|ADDR_LINE_2|ADDR_CITY|ADDR_STATE|ADDR_ZIP|PERSON_NAME|PERSON_SSN
sbBksoknql8O|7/8/2011|08.00.07|9/23/1952|123 Maple Street|Apt 2B|Springfield|IL|62704|Abraham Duppstadt|755-30-1679
SdiWx5Egtxrd|7/22/2011|14.53.29|3/5/1957|456 Elm Avenue|Suite 300|Boulder|CO|80302|Christena Macklem|366-99-6352
QGOlnMvcJ50a|7/25/2011|07.14.10|7/20/1962|789 Pine Road|Unit 5|Madison|WI|53703|Ulrike Rehling|011-87-2771
MW5wPE5paWgN|7/29/2011|14.00.29|9/23/1961|321 Oak Lane|Building A|Austin|TX|78701|Summer Mauceri|806-32-5716
QGOlnMvcJ50a|7/29/2011|14.00.29|5/29/1986|654 Cedar Boulevard|Floor 4|Portland|OR|97209|Ora Scharpman|273-48-6482
Mapping.json
{
"input": {
"format": "csv",
"spec": {
"sep": "|",
"encoding": "utf-8"
}
},
"output": {
"format": "csv",
"spec": {
"encoding": "utf-8",
"compression": "gzip"
}
},
"columns":{
"PERSON_NAME":{
"operation":"protect",
"data_element":"deName"
},
"PERSON_SSN":{
"operation":"protect",
"data_element":"deSSN"
},
"ADDR_LINE_1":{
"operation":"protect",
"data_element":"deAddress"
},
"ADDR_LINE_2":{
"operation":"protect",
"data_element":"deAddress"
},
"ADDR_CITY":{
"operation":"protect",
"data_element":"deCity"
},
"POLICY_NUM":{
"operation":"protect",
"data_element":"deIBAN"
}
}
}
JSON Format
Dataset
[
{
"Region": "Region 1",
"Order Date": "01/12/2012",
"Registration": "2016-01-01 01:01:01.001",
"Order ID": 10,
"Unit Price": 1.01
},
{
"Region": "Region 2",
"Order Date": "27/07/2012",
"Registration": "2016-02-03 17:04:03.002",
"Order ID": 20,
"Unit Price": 456.01
},
{
"Region": "Region 3",
"Order Date": "27/07/2012",
"Registration": "2016-02-03 01:09:31.003",
"Order ID": 30,
"Unit Price": 7.99
},
{
"Region": "Region 4",
"Order Date": "27/07/2012",
"Registration": "2016-02-03 00:36:21.004",
"Order ID": 40,
"Unit Price": 89.99
}
]
Mapping.json
{
"columns": {
"Region": {
"operation": "protect",
"data_element": "deAddress"
},
"Order Date": {
"operation": "protect",
"data_element": "deDate2"
},
"Registration": {
"operation": "protect",
"data_element": "deDOB"
},
"Order ID": {
"operation": "protect",
"data_element": "deNumeric"
},
"Unit Price": {
"operation": "protect",
"data_element": "deDecimal"
}
}
}
2 - Amazon S3 Security Best Practices Examples
Note
The list below is not a comprehensive list of S3 configuration best practices. Refer to AWS documentation for more details.Block Public Access to Your Amazon S3 Storage
Enabling Block Public Access helps protect your resources by preventing public access from being granted through the resource policies or access control lists (ACLs) that are directly attached to S3 resources.
In addition to enabling Block Public Access, carefully inspect the following policies to confirm that they don’t grant public access:
- Identity-based policies attached to associated AWS principals (for example, IAM roles)
- Resource-based policies attached to S3 bucket (referred to as bucket policies)
Review Bucket Access Using IAM Access Analyzer for S3
IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk.
IAM Access Analyzer for S3 is available at no extra cost on the Amazon S3 console. IAM Access Analyzer for S3 is powered by AWS Identity and Access Management (IAM) IAM Access Analyzer. To use IAM Access Analyzer for S3 in the Amazon S3 console, you must visit the IAM console and enable IAM Access Analyzer on a per-Region basis.
Enable Server-Side Encryption
All Amazon S3 buckets have encryption configured by default, and all new objects that are uploaded to an S3 bucket are automatically encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) is the default encryption configuration for every bucket in Amazon S3.
Amazon S3 also provides these server-side encryption options:
- Server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS)
- Dual-layer server-side encryption with AWS Key Management Service (AWS KMS) keys (DSSE-KMS)
- Server-side encryption with customer-provided keys (SSE-C)