Amazon S3 Security

Question 1

How many methods of encryption are there for S3?

Answer 1

4

Question 2

Sever-Side encryption with Amazon S3-Managed Keys (SSE-S3) - Default

Answer 2

encrypts objects using keys handled, managed, and owned by AWS

Question 3

Server-Side Encryption with KMS keys stored in AWS KMS (SSE-KMS)

Answer 3

Leverage AWS Key Management Service (AWS KMS) to manage encryption keys

Question 4

Server-Side Encryption with Customer-Provided Keys (SSE-C)

Answer 4

When you want to manage your own encryption keys

Question 5

Client Side Encryption

Answer 5

This happens on the client server

Question 6

How does S3 Encryption - SSE S3 work

Answer 6

Encryption using keys handled, managed, owned by AWS

Server side encryption

Type is AES 256

header must include “x-amz-server-side-encryption”:”AES256”

enabled by default

Question 7

Amazon S3 Encryption - SSE-S3 architecture

Answer 7

User uploads HTTP(S) + Header to Amazon S3.

The object is paired with S3 Owned Key, and is encrypted moving to the encrypted S3 Bucket

Question 8

Advantages of SSE-KMS?

Answer 8

keys are handled by AWS KMS

there is user control & audit key usage using CloudTrail (logs everything that happens)

Object is encrypted server side

header = x-amz-server-side-encryption”:”awsLkms”

Question 9

SSE-KMS encryption architecture

Answer 9

User uploads HTTP(S) & KMS header into Amazon S3.

Object is created and is combined with KMS key from AWS KMS. Then it gets encrypted and moved to the S3 Bucket

Question 10

SSE-KMS Limitations

Answer 10

When you uplaod it calls GenerateDataKey KMS API.

When downloading it calls Decrypt KMS API.

This means that you are quoted and charged for each call.

Can result in throttling use case

Question 11

SSE-KMS API calls architecture

Answer 11

User upload/download SEE-KMS.

S3 Bucket calls API KMS Key

Question 12

SSE-C encryption

Answer 12

Server-Side encryption using keys managed by customer outside AWS.

Amazon S3 does NOT store keys you provide

MUST use HTTPS

Encryption key must provide in HTTP headers for every HTTP request made

Question 13

SSE-C architecture

Answer 13

User uploads file and key (HTTP ONLY & Key in header).

Amazon S3 uses Client-provided key and object, encrypts it and then moves it to S3 bucket.

To read it you need the key provided.

Question 14

S3 Client-Side Encryption

Answer 14

use client libraries such as Amazon S3 Client-Side Encryption Library

clients must encrypt data before sending to S3

also must decrypt data when retrieving from S3

Customer fully manages keys and encryption cycle

Question 15

Client-Side Encryption Architecture

Answer 15

File & Client key are encrypted. Then the encrypted file is uploaded via HTTP(S) to Amazon S3 Bucket

Question 16

Encryption in Transit (SSL/TLS)

Answer 16

HTTPS recommended when using amazon S3

And HTTPS mandatory for SSE-C

Question 17

How do you force encryption in transit? aws:SecureTransport

Answer 17

Add Bucket Policy onto S3 Bucket that says “aws:SecureTransport”: “false”

Blocks all HTTP traffic and allows only HTTPS

Question 18

Default Encryption vs Bucket Policies

Answer 18

SSE-S3 is automatically applied to new objects

You can also Force encryption using bucket policies and refuse any API call to PUT an S3 object without encryption headers (SSE-KMS or SSE-C)

Question 19

Are Bucket Policies evaluated before “Default Encryption”?

Answer 19

Yes

Question 20

What does CORS mean?

Answer 20

Cross-Origin Resource Sharing (CORS)

Question 21

What is Origin in CORS?

Answer 21

scheme (protocol) + host (domain) + port

e.g. https://www.example.com = port is 443 for HTTPS, 80 for HTTP)

Question 22

What is CORS? technical

Answer 22

Web Browser based mechanism to allow requests to other origins while visiting the main origin

same origin = http://example.com/app1

&

http://example.com/app2

Question 23

Give an example of same origin CORS

Answer 23

same origin = http://example.com/app1

&

http://example.com/app2

Question 24

Give an example of different origin CORS

Answer 24

http://www.example.com

&

http://other.example.com

Question 25

What happens if you do not use CORS Headers?

Answer 25

The requests won’t be fulfilled unless the other origin allows for the requests.

e.g. Access-Control-Allow-Origin

Question 26

CORS Architecture

Answer 26

Web server (origin) https://www.example.com

Web Browser

Web Server (Cross-Origin) https://www.other.com

Web browser requests via HTTPS information on origin web server. The Origin Web server tells the web browser they can have this information but the other information is on the cross origin server.

The web browser sends preflight request to cross-origin server saying I want this information, you are the host, and this is the origin server.

Cross-origin server says, origin server is allowed to use methods GET, PUT, DELETE in a preflight response.

Then the Web Server will make a request to the Cross Origin server and make these calls.

Question 27

How does CORS apply to S3?

Answer 27

If client makes cross-origin request on our S3 bucket, we need to enable correct CORS headers.

Question 28

What can you do with origins in CORS?

Answer 28

Can allow for specific origin or * all origins

Question 29

CORS on S3 architecture

Answer 29

Web browser sends GET/index.html request to host bucket.

Host bucket sends index.html to web browser.

In that index.html there is an image called coffee.jpg which is hosted on the other S3 bucket.

To use that, the web browser makes a GET/images/coffee.jpg request to the other bucket saying, you are the target host of this image, and the origin for the request is the other S3 bucket.

If CORS headers are configured correctly, then the second S3 bucket will do an Access-Control-Allow-Origin and allow the Web Browser to retrieve the coffee.jpg image and display it.

Question 30

What is MFA Delete?

Answer 30

When you need to delete an object version permanently or suspend versioning on the bucket you will be asked for an MFA code

Question 31

What do you need to have to use MFA delete?

Answer 31

Bucket Versioning must be enabled

Question 32

Who can enable/disable MFA delete?

Answer 32

Only the root account (bucket owner)

Question 33

S3 Access Logs

Answer 33

Any request from any acc, auth or denied, gets logged into another S3 bucket

Question 34

What can you do with S3 logs?

Answer 34

analyse them with tools such as athena

Question 35

Where does the target logging bucket must be?

Answer 35

same AWS region

Question 36

What should you never do with S3 logs?

Answer 36

Do not set your logging bucket to be the monitored bucket.

if you do you will create a logging loop

Question 37

Pre Signed URLs

Answer 37

Generate pre-signed urls using S3 Console, AWS CLI or SDK

Question 38

URL expiration

Answer 38

S3 console = 1 - 720 mins (12 hours)
AWS CLI - 3600 604800 sec (168 hours)

Question 39

What is the purpose of a pre-signed url?

Answer 39

Users given a pre-signed URL inherit the permissions of the user that generated the URL for GET /PUT

Question 40

Pre-Signed URL use case (architecture)

Answer 40

You have a private S3 bucket and want to share a file within that bucket.

You generate pre-signed URL, send that URL to the user, and they can use that URL to download only that specific file

Question 41

S3 Glacier Vault Lock

Answer 41

Adopt a WORM (Write Once Read Many) model

Question 42

How do you create S3 Glacier Vault Lock?

Answer 42

Create a Vault Lock Policy

Question 43

What happens if you lock the policy for future edits?

Answer 43

Can no longer be changed or deleted

Question 44

When is a Glacier Vault Lock helpful?

Answer 44

For compliance and data retention

Question 45

S3 Object Lock (different than S3 Glacier Vault Lock)

Answer 45

WORM (Write Once Read Many) model

Blocks an object version deletion for a specified amount of time

Question 46

What is Retention Mode Compliance in S3 Object Lock?

Answer 46

object versions cannot be overwritten or deleted by any user, including root user

object retention modes cant be changed and retention periods cant be shortened

Question 47

What is Retention Mode Governance in S3 Object Lock?

Answer 47

most users cant overwrite or delete an obj version or alter its lock settings

some users have special permissions to change the retention or delete the object

Question 48

What is a retention period

Answer 48

protect the object for a fixed period, it can be extended

Question 49

What is Legal Hold

Answer 49

protect the object indefinitely, independent of retention period

can be freely placed and removed using S3:PutObjectLegalHold IAM permission

Question 50

S3 Access Points

Answer 50

Create access points for each S3 location and assign a Policy for Read/Write to it. Then connect the group of users you want to use that access point.

For example Finance users will access that access point and only be able to read/write in the S3 bucket /finance folder.

Question 51

Why do we need access points?

Answer 51

To simplify security management for S3 Buckets

Question 52

What do each access point have?

Answer 52

Its own DNS (Internet Origin or VPC origin)

Question 53

Access point policy

Answer 53

similar to bucket policy - manage security at scale

Question 54

Access Points within VPC Origin

Answer 54

EC2 instances talks to VPC endpoint (has an endpoint policy) and outside the VPC there is an access point VPC Origin with an access point policy attached. Then that talks to the S3 bucket which also has a bucket policy

Basically define access point to be accessible only from within the VPC

Question 55

What do you need to create to have access the Access the Access point (gateway or interface endpoint) within a VPC?

Answer 55

VPC Endpoint

Question 56

What does the VPC endpoint policy must do to have access to the target bucket and access point?

Answer 56

Policy must be set to allow

Question 57

S3 Object Lambda

Answer 57

Write code and invoke Lambda to change an object after it was taken from the bucket and before the caller application receives it