The Best Practices for Securing Data in AWS S3
Amazon Simple Storage Service (Amazon S3) is an incredibly powerful object storage service that runs on the world’s most extensive global cloud infrastructure. It features tremendous scalability and 99,99999999999% durability. In 2021 it is 15 years old and holds over 100 trillion objects. The versatility of AWS S3 as a storage tool, has opened up so many avenues for tech driven businesses and revolutionised website storage and content distribution.
For all its wonder, AWS S3 has unfortunately been the centre of some negative security press. ‘Leaky Bucket’ stories are on the rise, with poorly secured Amazon S3 bucket at the heart of some large scale data breaches. In the case of prestige software last November, 10 million files sadly included personally identifiable information and credit card details, complete with the CVV code.
The security of Amazon S3 is, and has always been, a shared responsibility between AWS and the user. AWS protects the infrastructure that runs AWS S3 and monitors the efficiency of its security measures. However, as a user, you are accountable for managing access to the data and complying with legal regulations.
Let’s go through some of the most effective best practices for securing data in AWS S3.
1. Enable Data Encryption
To secure your data in case of inappropriate access, ensure it is always encrypted – during both rest and transit. AWS recommends four main data encryption strategies:
- Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) is the most inexpensive option that you can activate with one click. In that case, AWS manages unique keys used to encrypt all the objects.
- Server-side encryption with customer master keys (CMKs) stored in AWS KMS (SSE-KMS) is similar to SSE-S3, but additional security measures are in place. It scans CMK usage and provides an extra permission layer (to use CMKs).
- Server-side encryption with customer-provided keys (SSE-C) is practical when you are obliged to manage your encryption keys. In this model, S3 provides encryption, and you are responsible for the creation, storage, tracking, and protection of the keys.
- Client-side encryption in which AWS does not handle encryption, decryption, and master keys. It requires you to encrypt the data before sending it to AWS and decrypt it after extracting it from AWS. It's used in the case of applications that require deeply embedded encryption.
2. Use S3 Block Public Access
S3 Block Public Access is an S3 security setting that blocks public access to your buckets at the account level. It is turned on by default for all new buckets. However, if you have any buckets created before the launch of this feature, make sure to turn it on for all existing buckets in your S3 console.S3 Block Public Access overrides Amazon S3 settings, so you get centralised control over public access by turning it on.
Remember that when your buckets are publicly accessible, the sensitive data you store can be potentially accessed by anyone via a URL.
3. Protect data against accidental deletion
Enable S3 Versioning for buckets that store critical or sensitive data. It will protect your data against accidental (and malicious) deletion by preserving and giving you the possibility to restore any version of any object stored in your S3 bucket. However, S3 Versioning entails additional cost, so it is recommended to use it for selected buckets only.
If the data you store must be WORM (write-once-read-many) protected because of laws and regulations, or you need an extra security layer, use the Object Lock feature. It keeps an object safe from being overwritten or deleted. You can turn it on for a specific time frame or indefinitely.
4. Monitor your S3 environment
For starters, use AWS Security Hub to track security alerts and automate security checks across all AWS accounts and services.
Secondly, make sure you are compliant with AWS Foundational Security Best Practices standard. It allows users to monitor whether their Amazon services follow best practices and guides them on how to improve their account security.
Lastly, if there are any specific API activities you would like to be altered about, configure CloudTrail Logs with Amazon CloudWatch, to receive email notifications when they occur. CloudTrail will track all activities in all your buckets or specific buckets and record them as audit logs. Then, they can be automatically filtered according to your custom specification, and when a particular API activity occurs, you will be alerted by Amazon Cloud Watch.
Like in other Amazon services, every active S3 bucket will generate additional costs, so keep that in mind when setting up the service.
5. Protect sensitive data with Amazon Macie
Amazon Macie constantly runs in the background and automatically monitors your whole S3 environment to inform you about any buckets that are unencrypted, public, shared, or replicated outside your organisation.
It uses machine learning to identify Personally Identifiable Information (PII), and other types of sensitive data. This is helpful for GDPR and Payment Card Industry Data Security Standard compliance. It also classifies the data sensitivity as high, medium, or low risk and notifies you accordingly. Macie is a cost-efficient and simple tool to ensure your Amazon S3 security.
What's the next step?
Securing the privacy and accuracy of information is one of the primary responsibilities of any organisation. Luckily for us, Amazon makes it easier by providing users with numerous features and tools that improve data security in AWS S3.
If you are to do one thing from the list, start with data encryption. If you’d like to go a little further, we would be happy to help with a free consultancy session to run you through your quick wins and bolster your cyber security posture in AWS. Submit your details below, and one of our AWS Consultants will be in touch!