- Bucket owner = root account owning the e-mail address.
- It supports VPC endpoints to be accessed in VPC without internet access
- VPC Endpoint = an endpoint network interface (ENI)
- Object / Bucket Permissions
- User permissions: User ID has Read / Write access to Bucket / Object?
- Public permissions: Public read access to bucket or not
- System permissions: Grant Amazon S3 Log Delivery group write access to the group
- MFA Delete
- MFA (multi factor authentication) forces user to generate a code on device (mobile phone or hardware) before doing important operations on S3.
- To use MFA-Delete, enable Versioning on the S3 bucket.
- 💡 You will need MFA to
- permanently delete an object version
- suspend versioning on the bucket
- 💡 Give only right users permissions for delete.
- ❗ Only the bucket owner (root account) can enable/disable MFA-delete.
- ❗ MFA-delete currently can only be enabled using the CLI
- ❗ Affects only permanent deletes not delete markers
- Flow: Create bucket with versioning -> Log-into root account -> Link to MFA Device (IAM -> Security Credentials) -> Generate root access keys -> Connect to CLI -> Set
MFADelete=enabled
with CLI command
- S3 Pre-signed URLS
- 📝 Allows granting access (URL) to one or more users for a certain amount and time and expire it.
- URL can be used for
GET
(read) orPUT
(upload). - Can generate pre-signed URLs using SDK (uploads as it's harder) or CLI
- Valid for a default of 3600 seconds, can change timeout with
--expires-in <time-by-seconds>
argument
- URL can be used for
- Users given a pre-signed URL inherit the permissions of the person who generated the URL for GET / PUT
- E.g. premium video service for logged in users where they can view & list & upload temporarily.
- Command:
presign <S3URI> --expires-in <time-by-seconds> --region <region-of-object>
- 💡 You can run
aws configure set default.s3.signature_version s3v4
for making URL to be compatible with KMS encrypted object before signing
- 💡 You can run
- 📝 Allows granting access (URL) to one or more users for a certain amount and time and expire it.
- Logging and Audit
-
CloudTrail
- Logs bucket-level API calls
- Logs S3 object-level API activity e.g.
GetObject
,DeleteObject
, andPutObject API
operations. - Also called CloudTrail Data Events
-
S3 access logs
- Logs object-level API activity
- Flow: Go to properties -> Turn on Server Access Logging -> Choose bucket
-
Access logs vs Object-Level CloudTrail logs
Server Access Logging Object-Level Logging Complexity Low High Format Loosely-structured, space-delimited text records JSON Delivery Timeliness & delivery are not guaranteed API calls within 15 min are a captured and sent within 5 min Filtering No filtering Cloud Trail (basic), Cloud Watch (advanced, e.g. regex) Integrations S3 S3, CloudTrail, CloudWatch Costs S3 S3, CloudTrail, CloudWatch -
❗ Do not store your own access logs in the same bucket, otherwise; recursion
-
Data can be analyzed using data analysis tools
- Also Amazon Athena and S3 Select can be used to query access logs
-
You can set prefixes for the logs
-
- User based policies
- IAM policies
- which API calls should be allowed for specific user from IAM console
- 💡 IAM policies instead of S3 bucket policies are in general more operationally efficient.
- You need to control access to AWS services other than S3
- Easier to manage everything from IAM instead of spreading
- You have numerous S3 buckets each with different permissions requirements
- Easier to manage with a few IAM policies instead of policy per bucket.
- You need to control access to AWS services other than S3
- Resource based policies
- 📝 Bucket policies:
- Allows cross account
- JSON based policy (can be generated from Policy Generator)
Resources
: buckets or objectsActions
: Set of API to Allow or DenyEffect
: Allow / DenyPrincipal
: THe account or user to apply the policy to
- 💡 Use-cases
- 📝Force objects to be encrypted at upload
- Save statements in Bucket Policy:
- Create bucket policy -> Deny if any principal (
*
) uses actionPutObject
has condition headerx-amz-server-side-encryption
EqualsTonull
istrue
. - Create bucket policy -> Deny if any principal (
*
) uses actionPutObject
has condition headerx-amz-server-side-encryption
StringNotEqualsAES256
- Create bucket policy -> Deny if any principal (
- Set Default Encryption as Amazon S3 master-key to set the right header when uploading from console.
- Save statements in Bucket Policy:
- Grant access to another account (Cross Account)
- Grant public access to the bucket
- 📝Force objects to be encrypted at upload
- Syntax for including root and its endpoints
- ❗ Careful: In policies if you use
arn
(amazon resource name) with only/
e.g.it'll not apply policy to all endpoints under it you need to define it as with/*
.- E.g.
arn:awss3::::thebucketname/*
instead ofarn:awss3::::thebucketname/
. - URL with
/*
will not include the root URL, if you need root as well use both/
and/*
.
- E.g.
- ❗ Careful: In policies if you use
- Object Access Control List (ACL)
- Access policy option to grant basic read/write permissions to other AWS accounts on object level.
- E.g. account X can list objects, write objects, read bucket permissions, write bucket permissions
- Access policy option to grant basic read/write permissions to other AWS accounts on object level.
- Bucket Access Control List (ACL): Less common
- Glacier
- Can have:
- Single resource-based vault access policy
- Single Vault Lock policy
- For compliance e.g. can deny users permissions to delete an archive until the archive has existed for one year.
- 💡 After the vault is locked it cannot be unlocked
- Can have:
- 📝 Bucket policies:
- Encryption at rest
-
S3 Glacier encrypts your data as rest by default.
-
4 methods of encrypting objects:
- SSE-S3 (Server Side Encryption - S3)
- Encrypts S3 objects using keys handled & managed by AWS
- Object is encrypted server side
- AES-256
- 📝 You must set header
"x-amz-server-side-encryption":"AES256"
- 📝 You must set header
- S3 provides S3 Managed Data Key as encryption key
- Also called Amazon S3 master-key
- Works with HTTP + HTTPS
- SSE-KMS (Server Side Encryption - Key Management Service)
- Leverage AWS Key Management Service to manage encryption
- KMS advantages: user control (over rotation of key) + audit trail (how the key was used)
- Object is encrypted server side
- 📝 Must set header
"x-amz-server-side-encryption":"aws:kms"
- KMS generates & uses CMK (Customer Master Key) as encryption key.
- Also called AWS KMS master-key
- You can select a key from KMS
- Works with HTTP + HTTPS
- 💡 Maintain control of the rotation policy for the encryption keys, but not know the encryption keys values
- SSE-C (Server Side Encryption - Customer)
- When you want to fully manage your own encryption keys
- ❗ HTTPS must be used (no HTTP)
- Encryption key must be provided in HTTP headers for every HTTP request made
- Uses client side data key
- Amazon does the encryption & throws every the key and returns data.
- 💡 Recommended over client side encryption if you need to ensure that encryption is always used.
- Client Side Encryption
- Client library such as Amazon S3 Encryption Client makes it easier.
- Clients encrypt & decrypt data themselves
- Clients fully manages the keys and the encryption cycle
- Works with HTTP + HTTPS
- SSE-S3 (Server Side Encryption - S3)
-
Responsibilities
Encryption type Who en/decrypts the data Who stores the secret Who manages the secret SSE-S3 AWS AWS AWS SSE-KMS (AWS managed CMK) AWS AWS AWS SSE-KMS (customer managed CMK) AWS AWS you SSE-C AWS you you AWS SDK + KMS (AWS managed CMK) you AWS AWS AWS SDK + KMS (customer managed KMS) you AWS you AWS SDK + self-managed secret you you you -
SDK
- AWS SDK supports for Amazon S3 Client-Side Encryption
- AWS Encryption SDK is an encryption library that is separate from the language–specific SDKs.
- Difference between AWS SDK (in language-specific AWS SDKs) vs Encryption SDK
- Encryption SDK is not tied to Amazon S3 and can be used to encrypt or decrypt data to be stored anywhere.
- Good for enforcing best practices in organization.
-
- Encryption in transit (SSL)
- 📝Achieved by SSL/TLS
- S3 exposes HTTP and HTTPS URL, HTTP has encryption in flight.
- Default Encryption
- Encryption is per object level, but you might want to enforce encryption of all objects.
- Old way: Use a bucket policy and refuse any HTTP command without the proper headers
- New way: Enable Default Encryption setting on S3 by ticking.
- Bucket policies are evaluated before default encryption
- You can choose between SSE-S3 (AES-256) or SSE-KMS (AWS-KMS)