S3 Bucket Security Flashcards
IAM policies
S3 bucket security
defines API calls allowed for specific IAM principal
S3 bucket security
IAM policy basis
S3 bucket security
user or principal basis
S3 bucket security
resource based polices (3)
S3 bucket security
- bucket policies
- object ACL
- bucket ACL
S3 bucket security
bucket policies
resource based polices
JSON policy applied to entire bucket
resource based polices
security benefit
bucket policies
allows access across accounts
bucket policies
policy JSON fields (4)
bucket policies
- resource
- effect
- action
- principal
bucket policies
public access
bucket policies
option to allow anyone on the Internet to access objects
bucket policies
public access default
bucket policies
blocked to prevent data leaks
bucket policies
object ACL
S3 bucket security
optional finer grain policies
S3 bucket security
bucket ACL
S3 bucket security
legacy but still valid method of access control
S3 bucket security
permission logic
S3 bucket security
IAM principal has access if IAM policy OR resource policy allows it, AND no explicit deny
S3 bucket security
optional security feature
S3 bucket security
encryption
S3 bucket security
Server-side Encryption (3)
S3 bucket security
- SSE-S3
- SSE-KMS
- SSE-C
S3 bucket security
SSE-S3
Server-side Encryption
Amazon S3 manages keys
Server-side Encryption
Feature
SSE-S3
Default option for SSE
SSE-S3
HTTP Header
SSE-S3
“x-amz-server-side-encryption”:”AES256”
SSE-S3
SSE-KMS
Server-side Encryption
Customer manages keys in AWS KMS
Server-side Encryption
Auditing option
SSE-KMS
May audit in CloudTrail
SSE-KMS
HTTP Header
SSE-KMS
“x-amz-server-side-encryption”:”aws:kms”
SSE-KMS
Limitation
SSE-KMS
KMS hits count towards KMS API quota
SSE-KMS
SSE-C
Server-side Encryption
customer manages and stores keys
Server-side Encryption
Client-side encryption
S3 bucket security
files are encrypted and decrypted outside of S3
S3 bucket security
Encryption in transit
S3 bucket security
HTTPS using SSL/TLS
S3 bucket security
How to block HTTP access
Encryption in transit
- Policy with “Deny” effect
- condition “aws:secureTransport”:”false”
Encryption in transit