Amazon S3 Security Best Practices Examples

Block Public Access to Your Amazon S3 Storage

Enabling Block Public Access helps protect your resources by preventing public access from being granted through the resource policies or access control lists (ACLs) that are directly attached to S3 resources.

In addition to enabling Block Public Access, carefully inspect the following policies to confirm that they don’t grant public access:

• Identity-based policies attached to associated AWS principals (for example, IAM roles)
• Resource-based policies attached to S3 bucket (referred to as bucket policies)

Review Bucket Access Using IAM Access Analyzer for S3

IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk.

IAM Access Analyzer for S3 is available at no extra cost on the Amazon S3 console. IAM Access Analyzer for S3 is powered by AWS Identity and Access Management (IAM) IAM Access Analyzer. To use IAM Access Analyzer for S3 in the Amazon S3 console, you must visit the IAM console and enable IAM Access Analyzer on a per-Region basis.

Enable Server-Side Encryption

All Amazon S3 buckets have encryption configured by default, and all new objects that are uploaded to an S3 bucket are automatically encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) is the default encryption configuration for every bucket in Amazon S3.

Amazon S3 also provides these server-side encryption options:

• Server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS)
• Dual-layer server-side encryption with AWS Key Management Service (AWS KMS) keys (DSSE-KMS)
• Server-side encryption with customer-provided keys (SSE-C)