docs.aws.amazon.com
Open in
urlscan Pro
18.66.147.42
Public Scan
URL:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html
Submission: On May 25 via api from US — Scanned from DE
Submission: On May 25 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice
.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. Amazon Simple Storage Service (S3)
5. User Guide
Feedback
Preferences
AMAZON SIMPLE STORAGE SERVICE
USER GUIDE
* What is Amazon S3?
* Getting started
* Setting up
* Step 1: Create a bucket
* Step 2: Upload an object
* Step 3: Download an object
* Step 4: Copy an object
* Step 5: Delete the objects and bucket
* Next steps
* Access control
* Tutorials
* Transforming data with S3 Object Lambda
* Detecting and redacting PII data
* Hosting video streaming
* Batch-transcoding videos
* Configuring a static website
* Configuring a static website using a custom domain
* Speeding up your website with Amazon CloudFront
* Cleaning up example resources
* Working with buckets
* Buckets overview
* Naming rules
* Creating a bucket
* Viewing bucket properties
* Methods for accessing a bucket
* Emptying a bucket
* Deleting a bucket
* Setting default bucket encryption
* Configuring default encryption
* Monitoring default encryption
* Configuring Transfer Acceleration
* Getting Started
* Enabling Transfer Acceleration
* Speed Comparison tool
* Using Requester Pays
* Configuring Requester Pays
* Retrieving the requestPayment configuration
* Downloading objects in Requester Pays buckets
* Restrictions and limitations
* Working with objects
* Objects
* Creating object keys
* Working with metadata
* Editing object metadata
* Uploading objects
* Using multipart upload
* Configuring a lifecycle configuration
* Uploading an object using multipart upload
* Uploading a directory
* Listing multipart uploads
* Tracking a multipart upload
* Aborting a multipart upload
* Copying an object
* Multipart upload limits
* Copying objects
* Downloading an object
* Checking object integrity
* Deleting objects
* Deleting a single object
* Deleting multiple objects
* Organizing and listing objects
* Using prefixes
* Listing objects
* Using folders
* Viewing an object overview
* Viewing object properties
* Using presigned URLs
* Sharing objects
* Uploading objects
* Transforming objects
* Creating Object Lambda Access Points
* Automate S3 Object Lambda setup with AWS CloudFormation
* Using Amazon S3 Object Lambda Access Points
* Security considerations
* Configuring IAM policies
* Writing Lambda functions
* Event context format and usage
* Working with Range and partNumber headers
* Using AWS built functions
* Best practices and guidelines for S3 Object Lambda
* S3 Object Lambda tutorials
* Debugging S3 Object Lambda
* Working with access points
* Configuring IAM policies
* Creating access points
* Creating an access point
* Creating access points restricted to a VPC
* Managing public access
* Using access points
* Monitoring and logging
* Managing access points
* Using a bucket-style alias for your access point
* Using access points with Amazon S3 operations
* Restrictions and limitations
* Working with Multi-Region Access Points
* Creating Multi-Region Access Points
* Rules for naming Amazon S3 Multi-Region Access Points
* Rules for choosing buckets for Amazon S3 Multi-Region Access Points
* Create an Amazon S3 Multi-Region Access Point
* Blocking public access with Amazon S3 Multi-Region Access Points
* Viewing Amazon S3 Multi-Region Access Points configuration details
* Deleting a Multi-Region Access Point
* Configuring Multi-Region Access Points
* Configuring AWS PrivateLink
* Removing access to a Multi-Region Access Point from a VPC endpoint
* Using Multi-Region Access Points
* Permissions
* Restrictions and limitations
* Request routing
* Failover configuration
* Amazon S3 Multi-Region Access Points routing states
* Using Amazon S3 Multi-Region Access Point failover controls
* Amazon S3 Multi-Region Access Point failover controls errors
* Bucket replication
* Create one-way replication rules for your Multi-Region Access Point
* Create two-way replication rules for your Multi-Region Access Point
* View the replication rules for your Multi-Region Access Point
* Supported API operations
* Monitoring and logging
* Security
* Data protection
* Data encryption
* Server-side encryption
* Default encryption FAQ
* Amazon S3 managed encryption keys
* Specifying SSE-S3
* KMS keys stored in AWS KMS
* Specifying SSE-KMS
* Using Amazon S3 Bucket Keys
* Configuring an S3 Bucket Key for your bucket
* Configuring an S3 Bucket Key for an object
* Viewing the settings for an S3 Bucket Key
* Customer-provided encryption keys (SSE-C)
* Using client-side encryption
* Internetwork privacy
* AWS PrivateLink for Amazon S3
* Identity and access management
* Overview
* Access policy guidelines
* Request authorization
* For a bucket operation
* For an object operation
* Bucket policies and user policies
* Policies and Permissions
* Resources
* Principals
* Actions
* Conditions
* Examples
* Actions, resources, and condition keys
* Bucket policies
* Adding a bucket policy
* Controlling VPC access
* Bucket policy examples
* IAM user and role policies
* Controlling bucket access
* User and role policy examples
* Example walkthroughs
* Setting up tools
* Granting permissions
* Granting cross-account permissions
* Granting object permissions
* Granting cross-account object permissions
* Using service-linked roles
* AWS managed policies
* Managing access with ACLs
* ACL overview
* Finding the canonical ID
* Configuring ACLs
* Using CORS
* CORS configuration
* Configuring CORS
* Blocking public access
* Configuring account settings
* Configuring bucket and access point settings
* Reviewing bucket access
* Verifying bucket ownership
* Controlling object ownership
* Prerequisites for disabling ACLs
* Creating a bucket
* Setting Object Ownership
* Viewing Object Ownership settings
* Disabling ACLs for all new buckets
* Troubleshooting
* Logging and monitoring
* Compliance Validation
* Resilience
* Infrastructure security
* Configuration and vulnerability analysis
* Security best practices
* Monitoring data security
* Managing storage
* Using S3 Versioning
* S3 Versioning
* Enabling versioning on buckets
* Configuring MFA delete
* Working with versioning-enabled objects
* Adding objects
* Listing objects
* Retrieving object versions
* Retrieving version metadata
* Restoring previous versions
* Deleting object versions
* Working with delete markers
* Managing delete markers
* Deleting with MFA delete
* Configuring permissions
* Working with versioning-suspended objects
* Adding objects
* Retrieving objects
* Deleting objects
* Using AWS Backup for Amazon S3
* Working with archived objects
* Archive retrieval options
* Restoring an archived object
* Using Object Lock
* S3 Object Lock
* Configuring Object Lock on the console
* Managing Object Lock
* Managing storage classes
* Amazon S3 Intelligent-Tiering
* How S3 Intelligent-Tiering works
* Using S3 Intelligent-Tiering
* Managing S3 Intelligent-Tiering
* Managing lifecycle
* Transitioning objects
* Expiring objects
* Setting lifecycle configuration
* Using other bucket configurations
* Configuring Lifecycle event notifications
* Lifecycle configuration elements
* Examples of S3 Lifecycle configuration
* Managing inventory
* Configuring Amazon S3 Inventory
* Setting up notifications for inventory completion
* Locating your inventory
* Querying inventory with Athena
* Converting empty version ID strings to null strings
* Replicating objects
* What's replicated?
* Setting up replication
* Replication configuration
* Setting up permissions
* Replication examples
* Configuring for buckets in the same account
* Configuring for buckets in different accounts
* Changing replica owner
* Replicating encrypted objects
* Using S3 Replication Time Control
* Managing replication rules
* Replicate existing objects
* Configuring IAM policies
* Batch Replication for a first replication rule or new destination
* Batch Replication for existing replication rules
* Additional configurations
* Monitoring progress
* Viewing replication metrics by using the Amazon S3 console
* Amazon S3 replication failure reasons
* Using S3 Replication Time Control
* Best practices and guidelines for S3 RTC
* Replicating delete markers
* Replicating metadata changes
* Changing the replica owner
* Replicating encrypted objects (SSE-C, SSE-S3, SSE-KMS)
* Getting replication status
* Additional considerations
* Using object tags
* Access control
* Managing object tags
* Using cost allocation tags
* Billing and usage reporting
* Billing reports
* Usage report
* Understanding billing and usage reports
* Using Amazon S3 Select
* S3 Select examples
* SQL Reference
* SELECT command
* Data types
* Operators
* Reserved keywords
* SQL functions
* Aggregate functions
* Conditional functions
* Conversion functions
* Date functions
* String functions
* Using Batch Operations
* Granting permissions
* Creating a job
* Supported operations
* Copy objects
* Examples that use Batch Operations to copy objects
* Using an inventory report to copy objects across AWS accounts
* Using a CSV manifest to copy objects across AWS accounts
* Using Batch Operations to encrypt objects with S3 Bucket Keys
* Invoke AWS Lambda function
* Replace all object tags
* Delete all object tags
* Replace access control list
* Restore objects
* Object Lock retention
* Object Lock legal hold
* Managing jobs
* Listing jobs
* Viewing job details
* Assigning job priority
* Tracking job status and completion reports
* Examples of tracking using Amazon EventBridge
* Examples of completion reports
* Using tags
* Creating a job
* Deleting tags
* Putting job tags
* Getting job tags
* Controlling permissions
* Managing S3 Object Lock
* Enabling Object Lock
* Setting retention
* Setting retention compliance
* Setting retention governance
* Turning off legal hold
* S3 Batch Operations tutorial
* Monitoring Amazon S3
* Monitoring tools
* Logging options
* Logging with CloudTrail
* CloudTrail events
* Example log files
* Enabling CloudTrail
* Identifying S3 requests
* Logging server access
* Enabling server access logging
* Log format
* Deleting log files
* Identifying S3 requests
* Monitoring metrics with CloudWatch
* Metrics and dimensions
* Accessing CloudWatch metrics
* CloudWatch metrics configurations
* Creating a metrics configuration for all objects
* Filtering by prefix, object tag, or access point
* Deleting a metrics filter
* Amazon S3 Event Notifications
* Notification types and destinations
* Using SQS, SNS, and Lambda
* Granting permissions
* Enabling notifications in the S3 console
* Walkthrough: Configuring SNS or SQS
* Configuring notifications using object key name filtering
* Event message structure
* Using EventBridge
* EventBridge permissions
* Enabling EventBridge
* EventBridge event message structure
* Amazon EventBridge mapping and troubleshooting
* Using analytics and insights
* Storage Class Analysis
* Configuring storage class analysis
* S3 Storage Lens
* Understanding S3 Storage Lens
* Working with Organizations
* S3 Storage Lens permissions
* Viewing storage metrics
* Viewing metrics on the dashboards
* Viewing metrics in a data export
* Encrypting metrics exports
* What is an export manifest?
* S3 Storage Lens export schema
* Monitor S3 Storage Lens metrics in CloudWatch
* S3 Storage Lens metrics and dimensions
* Enabling CloudWatch publishing
* Using CloudWatch
* Amazon S3 Storage Lens metrics use cases
* For cost optimization
* For data protection
* For Object Ownership
* For performance
* Metrics glossary
* Working with S3 Storage Lens
* Using the S3 console
* Creating and updating dashboards
* Creating a dashboard
* Updating a dashboard
* Disabling or deleting a dashboard
* Disabling a dashboard
* Deleting a dashboard
* Working with AWS Organizations
* Enabling trusted access in your organization
* Disabling trusted access in your organization
* Registering delegated admins
* Deregistering delegated admins
* Using the AWS CLI
* Using the SDK for Java
* Tracing requests using X-Ray
* Hosting a static website
* Website endpoints
* Enabling website hosting
* Configuring an index document
* Configuring a custom error document
* Setting permissions for website access
* Logging web traffic
* Configuring a redirect
* Developing with Amazon S3
* Making requests
* Making requests over IPv6
* Using dual-stack endpoints
* Making requests using the AWS SDKs
* Using AWS account or IAM user credentials
* Using IAM user temporary credentials
* Using federated user temporary credentials
* Making requests using the REST API
* Virtual hosting of buckets
* Request redirection and the REST API
* Using the AWS CLI
* Using the AWS SDKs
* Using the AWS SDK for Java
* Using the AWS SDK for .NET
* Using the AWS SDK for PHP and Running PHP Examples
* Using the AWS SDK for Ruby - Version 3
* Using the AWS SDK for Python (Boto)
* Using the AWS Mobile SDKs for iOS and Android
* Using the AWS Amplify JavaScript Library
* Using the AWS SDK for JavaScript
* Using the REST API
* Request routing
* Error handling
* The REST error response
* The SOAP error response
* Amazon S3 error best practices
* Reference
* Appendix a: Using the SOAP API
* Common SOAP API elements
* Authenticating SOAP requests
* Setting access policy with SOAP
* Appendix b: Authenticating requests (AWS signature version 2)
* Authenticating requests using the REST API
* Signing and authenticating REST requests
* Browser-based uploads using POST
* HTML forms
* Upload examples
* POST with adobe flash
* Optimizing Amazon S3 performance
* Performance Guidelines
* Performance Design Patterns
* What is S3 on Outposts?
* Setting up your Outpost
* How S3 on Outposts is different
* Getting started with S3 on Outposts
* Setting up IAM
* Using the S3 console
* Using the AWS CLI and SDK for Java
* Networking for S3 on Outposts
* Working with S3 on Outposts buckets
* Creating a bucket
* Adding tags
* Using bucket policies
* Adding a bucket policy
* Viewing a bucket policy
* Deleting a bucket policy
* Listing buckets
* Getting a bucket
* Deleting your bucket
* Working with access points
* Creating an access point
* Using a bucket-style alias for your access point
* Viewing access point configuration
* Listing access points
* Deleting an access point
* Adding an access point policy
* Viewing an access point policy
* Working with endpoints
* Creating an endpoint
* Listing endpoints
* Deleting an endpoint
* Working with S3 on Outposts objects
* Copying an object
* Getting an object
* Listing objects
* Deleting objects
* Using HeadBucket
* Performing a multipart upload
* Using presigned URLs
* Sharing objects
* Uploading an object
* Security
* Data encryption
* AWS PrivateLink for S3 on Outposts
* Signature Version 4 (SigV4) policy keys
* Managing S3 on Outposts storage
* Managing S3 Versioning
* Creating and managing a lifecycle configuration
* Using the console
* Using the AWS CLI and SDK for Java
* Replicating objects for S3 on Outposts
* Setting up replication
* Prerequisites for creating replication rules
* Creating replication rules on Outposts
* Managing your replication
* Using EventBridge
* Sharing S3 on Outposts
* Other services
* Monitoring S3 on Outposts
* CloudWatch metrics
* Amazon CloudWatch Events
* CloudTrail logs
* Developing with S3 on Outposts
* S3 on Outposts APIs
* Configuring S3 control client
* Code examples
* Actions
* Add CORS rules to a bucket
* Add a lifecycle configuration to a bucket
* Add a policy to a bucket
* Cancel multipart uploads
* Complete a multipart upload
* Copy an object from one bucket to another
* Create a bucket
* Create a multipart upload
* Delete CORS rules from a bucket
* Delete a policy from a bucket
* Delete an empty bucket
* Delete an object
* Delete multiple objects
* Delete the lifecycle configuration of a bucket
* Delete the website configuration from a bucket
* Determine the existence and content type of an object
* Determine the existence of a bucket
* Download objects to a local directory
* Enable logging
* Enable notifications
* Enable transfer acceleration
* Get CORS rules for a bucket
* Get an object from a bucket
* Get an object from a bucket if it has been modified
* Get the ACL of a bucket
* Get the ACL of an object
* Get the Region location for a bucket
* Get the lifecycle configuration of a bucket
* Get the policy for a bucket
* Get the website configuration for a bucket
* List buckets
* List in-progress multipart uploads
* List object versions in a bucket
* List objects in a bucket
* Restore an archived copy of an object
* Set a new ACL for a bucket
* Set the ACL of an object
* Set the website configuration for a bucket
* Upload a single part of a multipart upload
* Upload an object to a bucket
* Upload directory to a bucket
* Scenarios
* Create a presigned URL
* Create a web page that lists Amazon S3 objects
* Get started with buckets and objects
* Get started with encryption
* Get started with tags
* Manage access control lists (ACLs)
* Manage versioned objects in batches with a Lambda function
* Parse URIs
* Perform a multipart copy
* Upload or download large files
* Work with versioned objects
* Cross-service examples
* Build an Amazon Transcribe app
* Convert text to speech and back to text
* Create a serverless application to manage photos
* Create an Amazon Textract explorer application
* Detect PPE in images
* Detect entities in text extracted from an image
* Detect faces in an image
* Detect objects in images
* Detect people and objects in a video
* Save EXIF and other image information
* Troubleshooting
* Troubleshoot Access Denied (403 Forbidden) errors
* Troubleshoot Batch Operations
* Troubleshoot CORS
* Troubleshoot lifecycle issues
* Troubleshoot replication
* Troubleshoot server access logging
* Troubleshoot versioning
* Get Amazon S3 request IDs for AWS Support
* Document history
* AWS glossary
Security best practices for Amazon S3 - Amazon Simple Storage Service
AWSDocumentationAmazon Simple Storage Service (S3)User Guide
Amazon S3 security best practicesAmazon S3 monitoring and auditing best
practices
SECURITY BEST PRACTICES FOR AMAZON S3
PDFRSS
Amazon S3 provides a number of security features to consider as you develop and
implement your own security policies. The following best practices are general
guidelines and don't represent a complete security solution. Because these best
practices might not be appropriate or sufficient for your environment, treat
them as helpful recommendations rather than prescriptions.
TOPICS
* Amazon S3 security best practices
* Amazon S3 monitoring and auditing best practices
AMAZON S3 SECURITY BEST PRACTICES
The following best practices for Amazon S3 can help prevent security incidents.
Disable access control lists (ACLs)
S3 Object Ownership is an Amazon S3 bucket-level setting that you can use to
control ownership of objects uploaded to your bucket and to disable or enable
ACLs. By default, Object Ownership is set to the Bucket owner enforced setting
and all ACLs are disabled. When ACLs are disabled, the bucket owner owns all the
objects in the bucket and manages access to data exclusively using access
management policies.
A majority of modern use cases in Amazon S3 no longer require the use of access
control lists (ACLs). We recommend that you disable ACLs, except in unusual
circumstances where you must control access for each object individually. To
disable ACLs and take ownership of every object in your bucket, apply the bucket
owner enforced setting for S3 Object Ownership. When you disable ACLs, you can
easily maintain a bucket with objects uploaded by different AWS accounts.
When ACLs are disabled access control for your data is based on policies, such
as the following:
* AWS Identity and Access Management (IAM) user policies
* S3 bucket policies
* Virtual private cloud (VPC) endpoint policies
* AWS Organizations service control policies (SCPs)
Disabling ACLs simplifies permissions management and auditing. ACLs are disabled
for new buckets by default. You can also disable ACLs for existing buckets. If
you have an existing bucket that already has objects in it, after you disable
ACLs, the object and bucket ACLs are no longer part of the access-evaluation
process. Instead, access is granted or denied on the basis of policies.
Before you disable ACLs, make sure that you do the following:
* Review your bucket policy to ensure that it covers all the ways that you
intend to grant access to your bucket outside of your account.
* Reset your bucket ACL to the default (full control to the bucket owner).
After you disable ACLs, the following behaviors occur:
* Your bucket accepts only PUT requests that do not specify an ACL or PUT
requests with bucket owner full control ACLs. These ACLs include the
bucket-owner-full-control canned ACL or equivalent forms of this ACL that are
expressed in XML.
* Existing applications that support bucket owner full control ACLs see no
impact.
* PUT requests that contain other ACLs (for example, custom grants to certain
AWS accounts) fail and return an HTTP status code 400 (Bad Request) with the
error code AccessControlListNotSupported.
For more information, see Controlling ownership of objects and disabling ACLs
for your bucket.
Ensure that your Amazon S3 buckets use the correct policies and are not publicly
accessible
Unless you explicitly require anyone on the internet to be able to read or write
to your S3 bucket, make sure that your S3 bucket is not public. The following
are some of the steps that you can take to block public access:
* Use S3 Block Public Access. With S3 Block Public Access, you can easily set
up centralized controls to limit public access to your Amazon S3 resources.
These centralized controls are enforced regardless of how the resources are
created. For more information, see Blocking public access to your Amazon S3
storage.
* Identify Amazon S3 bucket policies that allow a wildcard identity such as
"Principal": "*" (which effectively means "anyone"). Also look for policies
that allow a wildcard action "*" (which effectively allows the user to
perform any action in the Amazon S3 bucket).
* Similarly, look for Amazon S3 bucket access control lists (ACLs) that provide
read, write, or full-access to "Everyone" or "Any authenticated AWS user."
* Use the ListBuckets API operation to scan all of your Amazon S3 buckets. Then
use GetBucketAcl, GetBucketWebsite, and GetBucketPolicy to determine whether
each bucket has compliant access controls and a compliant configuration.
* Use AWS Trusted Advisor to inspect your Amazon S3 implementation.
* Consider implementing ongoing detective controls by using the
s3-bucket-public-read-prohibited and s3-bucket-public-write-prohibited
managed AWS Config Rules.
For more information, see Identity and access management in Amazon S3.
Implement least privilege access
When granting permissions, you decide who is getting what permissions to which
Amazon S3 resources. You enable specific actions that you want to allow on those
resources. Therefore, we recommend that you grant only the permissions that are
required to perform a task. Implementing least privilege access is fundamental
in reducing security risk and the impact that could result from errors or
malicious intent.
The following tools are available to implement least privilege access:
* Amazon S3 actions and Permissions Boundaries for IAM Entities
* Bucket policies and user policies
* Access control list (ACL) overview
* Service Control Policies
For guidance on what to consider when choosing one or more of the preceding
mechanisms, see Access policy guidelines.
Use IAM roles for applications and AWS services that require Amazon S3 access
In order for applications running on Amazon EC2 or other AWS services to access
Amazon S3 resources, they must include valid AWS credentials in their AWS API
requests. We recommend not storing AWS credentials directly in the application
or Amazon EC2 instance. These are long-term credentials that are not
automatically rotated and could have a significant business impact if they are
compromised.
Instead, use an IAM role to manage temporary credentials for applications or
services that need to access Amazon S3. When you use a role, you don't have to
distribute long-term credentials (such as a username and password or access
keys) to an Amazon EC2 instance or AWS service, such as AWS Lambda. The role
supplies temporary permissions that applications can use when they make calls to
other AWS resources.
For more information, see the following topics in the IAM User Guide:
* IAM Roles
* Common Scenarios for Roles: Users, Applications, and Services
Consider encryption of data at rest
You have the following options for protecting data at rest in Amazon S3:
* Server-side encryption – When you use server-side encryption, Amazon S3
encrypts your objects before saving them on disks in its data centers and
then decrypts the objects when you download them. Server-side encryption can
help reduce risk to your data by encrypting the data with a key that is
stored in a different mechanism than the mechanism that stores the data
itself.
Amazon S3 provides these server-side encryption options:
* Server-side encryption with Amazon S3 managed keys (SSE-S3)
* Server-side encryption with AWS Key Management Service (AWS KMS) keys
(SSE-KMS)
* Server-side encryption with customer-provided keys (SSE-C)
For more information, see Protecting data using server-side encryption.
* Client-side encryption – Encrypt data client-side and upload the encrypted
data to Amazon S3. In this case, you manage the encryption process, the
encryption keys, and related tools. As with server-side encryption,
client-side encryption can help reduce risk by encrypting the data with a key
that is stored in a different mechanism than the mechanism that stores the
data itself.
Amazon S3 provides multiple client-side encryption options. For more
information, see Protecting data by using client-side encryption.
Enforce encryption of data in transit
You can use HTTPS (TLS) to help prevent potential attackers from eavesdropping
on or manipulating network traffic by using person-in-the-middle or similar
attacks. We recommend allowing only encrypted connections over HTTPS (TLS) by
using the aws:SecureTransport condition in your Amazon S3 bucket policies.
Also consider implementing ongoing detective controls by using the
s3-bucket-ssl-requests-only managed AWS Config rule.
Consider using S3 Object Lock
With S3 Object Lock, you can store objects by using a "Write Once Read Many"
(WORM) model. S3 Object Lock can help prevent accidental or inappropriate
deletion of data. For example, you can use S3 Object Lock to help protect your
AWS CloudTrail logs.
For more information, see Using S3 Object Lock.
Enable S3 Versioning
S3 Versioning is a means of keeping multiple variants of an object in the same
bucket. You can use versioning to preserve, retrieve, and restore every version
of every object stored in your bucket. With versioning, you can easily recover
from both unintended user actions and application failures.
Also consider implementing ongoing detective controls by using the
s3-bucket-versioning-enabled managed AWS Config rule.
For more information, see Using versioning in S3 buckets.
Consider using S3 Cross-Region Replication
Although Amazon S3 stores your data across multiple geographically diverse
Availability Zones by default, compliance requirements might dictate that you
store data at even greater distances. With S3 Cross-Region Replication (CRR),
you can replicate data between distant AWS Regions to help satisfy these
requirements. CRR enables automatic, asynchronous copying of objects across
buckets in different AWS Regions. For more information, see Replicating objects.
NOTE
CRR requires both the source and destination S3 buckets to have versioning
enabled.
Also consider implementing ongoing detective controls by using the
s3-bucket-replication-enabled managed AWS Config rule.
Consider using VPC endpoints for Amazon S3 access
A virtual private cloud (VPC) endpoint for Amazon S3 is a logical entity within
a VPC that allows connectivity only to Amazon S3. VPC endpoints can help prevent
traffic from traversing the open internet.
VPC endpoints for Amazon S3 provide multiple ways to control access to your
Amazon S3 data:
* You can control the requests, users, or groups that are allowed through a
specific VPC endpoint by using S3 bucket policies.
* You can control which VPCs or VPC endpoints have access to your S3 buckets by
using S3 bucket policies.
* You can help prevent data exfiltration by using a VPC that does not have an
internet gateway.
For more information, see Controlling access from VPC endpoints with bucket
policies.
Use managed AWS security services to monitor data security
Several managed AWS security services can help you identify, assess, and monitor
security and compliance risks for your Amazon S3 data. These services can also
help you protect your data from those risks. These services include automated
detection, monitoring, and protection capabilities that are designed to scale
from Amazon S3 resources for a single AWS account to resources for organizations
spanning thousands of accounts.
For more information, see Monitoring data security with managed AWS security
services.
AMAZON S3 MONITORING AND AUDITING BEST PRACTICES
The following best practices for Amazon S3 can help detect potential security
weaknesses and incidents.
Identify and audit all of your Amazon S3 buckets
Identification of your IT assets is a crucial aspect of governance and security.
You need to have visibility of all your Amazon S3 resources to assess their
security posture and take action on potential areas of weakness. To audit your
resources, we recommend doing the following:
* Use Tag Editor to identify and tag security-sensitive or audit-sensitive
resources, then use those tags when you need to search for these resources.
For more information, see Searching for Resources to Tag in the Tagging AWS
Resources User Guide.
* Use S3 Inventory to audit and report on the replication and encryption status
of your objects for business, compliance, and regulatory needs. For more
information, see Amazon S3 Inventory.
* Create resource groups for your Amazon S3 resources. For more information,
see What are resource groups? in the AWS Resource Groups User Guide.
Implement monitoring by using AWS monitoring tools
Monitoring is an important part of maintaining the reliability, security,
availability, and performance of Amazon S3 and your AWS solutions. AWS provides
several tools and services to help you monitor Amazon S3 and your other AWS
services. For example, you can monitor Amazon CloudWatch metrics for Amazon S3,
particularly the PutRequests, GetRequests, 4xxErrors, and DeleteRequests
metrics. For more information, see Monitoring metrics with Amazon CloudWatch and
Monitoring Amazon S3.
For a second example, see Example: Amazon S3 Bucket Activity. This example
describes how to create a CloudWatch alarm that is triggered when an Amazon S3
API call is made to PUT or DELETE a bucket policy, a bucket lifecycle, or a
bucket replication configuration, or to PUT a bucket ACL.
Enable Amazon S3 server access logging
Server access logging provides detailed records of the requests that are made to
a bucket. Server access logs can assist you in security and access audits, help
you learn about your customer base, and understand your Amazon S3 bill. For
instructions on enabling server access logging, see Logging requests using
server access logging.
Also consider implementing ongoing detective controls by using the
s3-bucket-logging-enabled AWS Config managed rule.
Use AWS CloudTrail
AWS CloudTrail provides a record of actions taken by a user, a role, or an AWS
service in Amazon S3. You can use information collected by CloudTrail to
determine the following:
* The request that was made to Amazon S3
* The IP address from which the request was made
* Who made the request
* When the request was made
* Additional details about the request
For example, you can identify CloudTrail entries for PUT actions that affect
data access, in particular PutBucketAcl, PutObjectAcl, PutBucketPolicy, and
PutBucketWebsite.
When you set up your AWS account, CloudTrail is enabled by default. You can view
recent events in the CloudTrail console. To create an ongoing record of activity
and events for your Amazon S3 buckets, you can create a trail in the CloudTrail
console. For more information, see Logging data events in the AWS CloudTrail
User Guide.
When you create a trail, you can configure CloudTrail to log data events. Data
events are records of resource operations performed on or within a resource. In
Amazon S3, data events record object-level API activity for individual buckets.
CloudTrail supports a subset of Amazon S3 object-level API operations, such as
GetObject, DeleteObject, and PutObject. For more information about how
CloudTrail works with Amazon S3, see Logging Amazon S3 API calls using AWS
CloudTrail. In the Amazon S3 console, you can also configure your S3 buckets to
Enabling CloudTrail event logging for S3 buckets and objects.
AWS Config provides a managed rule (cloudtrail-s3-dataevents-enabled) that you
can use to confirm that at least one CloudTrail trail is logging data events for
your S3 buckets. For more information, see cloudtrail-s3-dataevents-enabled in
the AWS Config Developer Guide.
Enable AWS Config
Several of the best practices listed in this topic suggest creating AWS Config
rules. AWS Config helps you to assess, audit, and evaluate the configurations of
your AWS resources. AWS Config monitors resource configurations so that you can
evaluate the recorded configurations against the desired secure configurations.
With AWS Config, you can do the following:
* Review changes in configurations and relationships between AWS resources
* Investigate detailed resource-configuration histories
* Determine your overall compliance against the configurations specified in
your internal guidelines
Using AWS Config can help you simplify compliance auditing, security analysis,
change management, and operational troubleshooting. For more information, see
Setting Up AWS Config with the Console in the AWS Config Developer Guide. When
specifying the resource types to record, ensure that you include Amazon S3
resources.
For an example of how to use AWS Config, see How to Use AWS Config to Monitor
for and Respond to Amazon S3 Buckets Allowing Public Access on the AWS Security
Blog.
Discover sensitive data by using Amazon Macie
Amazon Macie is a security service that discovers sensitive data by using
machine learning and pattern matching. Macie provides visibility into data
security risks, and enables automated protection against those risks. With
Macie, you can automate the discovery and reporting of sensitive data in your
Amazon S3 data estate to gain a better understanding of the data that your
organization stores in Amazon S3.
To detect sensitive data with Macie, you can use built-in criteria and
techniques that are designed to detect a large and growing list of sensitive
data types for many countries and regions. These sensitive data types include
multiple types of personally identifiable information (PII), financial data, and
credentials data. You can also use custom criteria that you define—regular
expressions that define text patterns to match and, optionally, character
sequences and proximity rules that refine the results.
If Macie detects sensitive data in an S3 object, Macie generates a security
finding to notify you. This finding provides information about the affected
object, the types and number of occurrences of the sensitive data that Macie
found, and additional details to help you investigate the affected S3 bucket and
object. For more information, see the Amazon Macie User Guide.
Use S3 Storage Lens
S3 Storage Lens is a cloud-storage analytics feature that you can use to gain
organization-wide visibility into object-storage usage and activity. S3 Storage
Lens also analyzes metrics to deliver contextual recommendations that you can
use to optimize storage costs and apply best practices for protecting your data.
With S3 Storage Lens, you can use metrics to generate summary insights, such as
finding out how much storage you have across your entire organization or which
are the fastest-growing buckets and prefixes. You can also use S3 Storage Lens
metrics to identify cost-optimization opportunities, implement data-protection
and access-management best practices, and improve the performance of application
workloads.
For example, you can identify buckets that don't have S3 Lifecycle rules to
abort incomplete multipart uploads that are more than 7 days old. You can also
identify buckets that aren't following data-protection best practices, such as
using S3 Replication or S3 Versioning. For more information, see Understanding
Amazon S3 Storage Lens.
Monitor AWS security advisories
We recommend that you regularly check the security advisories posted in Trusted
Advisor for your AWS account. In particular, look for warnings about Amazon S3
buckets with "open access permissions." You can do this programmatically by
using describe-trusted-advisor-checks.
Further, actively monitor the primary email address that's registered to each of
your AWS accounts. AWS uses this email address to contact you about emerging
security issues that might affect you.
AWS operational issues with broad impact are posted on the AWS Health Dashboard
- Service health. Operational issues are also posted to individual accounts
through the AWS Health Dashboard. For more information, see the AWS Health
documentation.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Configuration and vulnerability analysis
Monitoring data security
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Did this page help you?
Yes
No
Provide feedback
Edit this page on GitHub
Next topic:Monitoring data security
Previous topic:Configuration and vulnerability analysis
Need help?
* Try AWS re:Post
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE
--------------------------------------------------------------------------------
* Amazon S3 security best practices
* Amazon S3 monitoring and auditing best practices
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback