Written by Team CloudEnsure
AWS S3 Bucket Security Best Practices
“Prevention is better than cure is an age-old proverb but it is spot on for the cloud world specially with misconfiguration breaches on the rise.”
Breaches are expensive & data breaches not just have direct impacts but have far more severe indirect impacts. One small data breach not just costs millions of dollars (investigations, lawsuits, regulatory fines, notifications) to an organisation but results in non-compliance adherence, trust issues with customers, devaluation of company’s brand and to top it all, becomes instant news taking months if not years to re-establish the brand image. While the controls & practices adopted by organisations on cloud have been on the rise, so has been the rise in number of breaches in last 5 years, emphasizing on the fact that there is a lot of work yet to be done. And if we do a deeper analysis one would be amazed that how more than 40% of breaches have been due to a misconfigured Storage bucket which highlights the poor security hygiene even for the instance that holds highly sensitive information. Amongst others the two most common threats identified on S3 bucket; an unencrypted bucket leaving data in plain text & a bucket wide-open making it accessible to anyone having the link to update, delete, download & use the data.
While everyone dealing with the cloud would emphasize the shared responsibility model, it’s the undisciplined utilization of cloud architecture & simple misconfigurations that have made organizations realize the importance of continuous cloud governance. While AWS provides best in class security measures & makes it very easy to configure and use the cloud, It’s the lack of human expertise and cloud understanding that often results in newsworthy situations. Thus, it has now become imperative for cloud security professionals to realize why the prescriptions and native tools available today to address these threats are not sufficient enough? Why utilizing only, the security solutions and best practices suggested by the public cloud service providers, not enough to suppress these threats? Why the use of an autonomous body is important for the security of the cloud? And why it has to be an ongoing process rather than a one-time activity to ensure cloud safety.
The list of activities that one should be performing when it comes to S3 security & optimization are:
- Identify and audit all your AWS S3 buckets
- Monitor S3 using AWS monitoring tools
- Enable Amazon S3 server access logging
- Enable AWS Config
- Utilize AWS CloudTrail
- Use Amazon Macie with Amazon S3
- Be alert to AWS security advisories
In the past couple of years since AWS made S3 bucket permissions check free in 2018, a lot of professionals have adopted the available checks to ensure security. The check detects S3 buckets accessible publicly due to ACLs or policies that allow read/write access to a user. It’s not just this check, AWS does provide a number of security options to consider as you develop and implement your own S3 security policies. Many may perceive this to be the standard but these should be considered as best practices or general guidelines as they don’t represent; 1. Your complete cloud portfolio, 2. A complete security solution suited to your needs. One must understand that these are good to adopt but might not be sufficient for the continuous governance model one should be looking for.
Another move by AWS, providing Trusted Advisor for incorporating the best practice checks does take you one step closer with even more security features along with optimization methods. AWS Trusted Advisor helps you monitor AWS resources to improve security, performance & reliability by providing 50 checks out of which four are available for all the users. A few of them relating to AWS S3 buckets are:
- Checks of the logging configuration of Amazon S3 buckets.
- Security checks for Amazon S3 buckets that have open access permissions.
- Fault tolerance checks for Amazon S3 buckets that do not have versioning enabled
- Fault tolerance checks for Amazon S3 buckets that have versioning suspended.
AWS S3 Security Checklist
As many industry cloud experts will agree to utilize trusted advisor is definitely a good start but should not be treated as the whole and sole as there are hundreds of additional recommendations & checks available for each and every service provided by AWS. Working on the same front is CloudEnsure – Autonomous cloud governance platform which provides more than 30 checks just for ensuring security & optimization of S3. A few of those checks (still a lot more than the competition’s complete recommendation) are listed below.
| Unencrypted S3 Bucket |
| Public Read Permission on S3 bucket |
| Public Write Permission on S3 bucket |
| Enable Access logging for S3 bucket |
| Enable S3 Versioning |
| Enable “Block Public Access” for S3 at account level. |
| “FULL_CONTROL” Access to Authenticated users in S3 |
| “READ” Access to Authenticated users in S3 |
| “READ_ACP” Access to Authenticated users in S3 |
| “WRITE” Access to Authenticated users in S3 |
| “WRITE_ACP” Access to Authenticated users in S3 |
| Enable MFA Delete for AWS S3 Buckets |
| Public Access to S3 buckets Via Policy |
| Public “READ_ACP” Access |
| Public “WRITE_ACP” Access |
| DNS Compliant S3 Bucket Names |
| Enable S3 Bucket Lifecycle policies |
| Enable S3 Object Lock |
| S3 buckets with Website enabled. |
| Enforcing HTTPS while accessing S3 objects |
| At-rest encryption of Objects |
| Limiting S3 bucket access to whitelisted IP or IP Range |
| Enable AWS S3 Transfer Acceleration |
| Ensure the S3 bucket is encrypted with CMK |
| Check for using S3 access points instead of S3 bucket policy |
| Exposing the access point for all IAM users |
| Disabling block public access for access point |
| Check to use access points via VPC |
Do More with CloudEnsure
CloudEnsure does not stop here, it doesn’t just list the checks but implements them in an automated fashion to ensure you are informed & have visibility every hour every day. The application also provides you recommendation & steps to remediate the issue and even has the option “Fix Now” for quick yet secure resolution. CloudEnsure not only considers suggestions from AWS & Trusted advisor but incorporates recommendations from other cloud providers, cloud architects and industry SMEs making it your go to solution not just for S3 but other 100+ services relevant to your portfolio.