What is S3?
S3 is an object-based storage solution that is both scalable and fully managed. It can be utilized to host static websites and store various file types, including images, JavaScript files, and more. Additionally, S3 serves as an excellent option for data backup, offering different storage classes tailored to the frequency of data access. With its standard storage class, S3 presents a highly economical choice for small businesses aiming to host static websites efficiently. Lastly, S3 stands for “Simple Storage Service.”
Keywords for S3 in regards to Security?
These keywords scream S3:
- “Block public access”
- “Bucket policy”
- “Pre‑signed URL”
- “SSE‑KMS / SSE‑S3”
- “Client‑side encryption”
- “Access Points”
- “VPC Endpoint (Gateway)”
S3 Encryption
S3 Buckets have encryption enabled by default. Just like there are different storage classes available there are different ways of controlling how we encrypt our data. If you want to manage the encryption process yourself you would use client side encryption. Client side encryption is when we encrypt the data before sending it to the server and actually it provides an extreme amount of privacy.
Another type of encryption that you will encounter on the exam is Amazon KMS, which stands for Amazon Key Management Service. This service enables centralized control over your encryption keys, allowing for effective key management. Unlike client-side encryption, where keys are managed prior to transmission to the server, AWS Key Management Service operates in conjunction with CloudTrail to conduct audits on key usage. It ensures the integrity of key management by providing detailed insights into who utilized your keys, where, and when. It is essential to remember that CloudTrail is a service designed to monitor trails of activity and track compliance as well as events related to various services across your AWS accounts.
S3 CORS
Cross-Origin Resource Sharing (CORS) is a browser security mechanism that allows a web application to request resources from a different domain than the one it originated from. It works by using HTTP headers to tell the browser which origins, methods, and headers are permitted. For certain types of requests, the browser first sends a preflight request to the server to check whether the requested operation is allowed. The server’s response can specify which HTTP methods, such as GET or PUT, are permitted.
Keywords in regards to CORS?
When CORS shows up in questions, it will often be tied to:
- Configuring secure access for web clients
- Identifying correct CORS headers
- Understanding how browsers enforce same-origin policy vs. allowed origins
- Troubleshooting failed cross-origin API calls
S3 MFA Delete
S3 MFA Delete helps prevent users prevent buckets from being accidentally deleted. When you enable MFA delete only the root user can permanently delete object versions. Note that you can only turn on MFA delete for buckets you have enabled versioning for. ONLY the root user account can turn.
S3 Access Logs
By default Amazon S3 Access logs are not enabled but when you do, you are able to records of what requests were made to access your S3 Bucket. The type of information logged could be request type, the resources that are specified in the request and the date and time when the request occurred. Access logs monitor target buckets. Log files can be billed so be sure to delete log files within a reasonable time.
S3 Glacier Vault Lock
S3 Glacier is the lowest-cost storage option. With Amazon S3 Glacier, there are two tiers available: Glacier and Glacier Deep Archive, both of which may require additional time for data retrieval. Glacier is for data that is going to be stored for a LONG period of time. The Glacier Vault Lock feature employs a write-once, read-many model that ensures objects cannot be overwritten. This mechanism guarantees that no future modifications to the policy can occur, thus preventing the deletion of objects.
S3 Object Lock
S3 Object Lock allows us to lock an object for a set period or indefinitely, allowing the WORM method to occur, which is write once, read many. You must enable versioning on the bucket for the lock to be placed. Once object lock is enabled, it CANNOT be disabled. Note that once there is a legal hold or object lock with a retention period and the storage has to be used for a certain period, it will INCUR costs, and it could have some significant financial consequences. Always be careful when using S3 Object Lock. Object locks could be great for holding legal documents.
S3 Access Points
S3 Access Points are useful for when we want centralized access to a bucket with different users with unique permissions. This is great for when we are working on a team and we have different users who need to access centralized datasets on S3. You don’t want to make your bucket public and accessible to anyone on the internet so that’s why we have S3 Access Points to check who is trying to enter into your bucket and retrieve your important objects! If you want to avoid individual and time consuming bucket policies having an access point is your best option. They are long lived unlike presigned urls that give temporary access to a download or upload a specific object without needing IAM credentials. So if you want to simplify ACCESS to a bucket then an ACCESS POINT is your option.
Conclusion
I hope you found this article digestible, as it thoughtfully unpacked AWS S3 Security in an easily digestible manner. Writing serves as a therapeutic outlet for me, allowing me to explore various subjects that pique my curiosity. I’ve always been someone driven by the desire to understand the mechanics and reasons behind how things function. I went to school to be a Full stack developer because I wanted to work with E-Commerce stores and help them generate sales by creating search engine optimized sites with beautiful layouts. Thank you for reading and have a wonderful day.