This content is part of the Essential Guide: Use this AWS cloud security guide to protect workloads

Use S3 bucket security best practices to cut off public access

AWS users need the benefits of S3 but not the security concerns that come along with it. Follow these guidelines to prevent the threat of public access to S3 buckets.

S3 is a pillar upon which many other Amazon cloud services are built. But plenty of companies that migrate to the cloud each day have no prior AWS experience, which makes S3 a big security concern.

S3 buckets are often exposed to public access, which leaves the entire business vulnerable. Whether you have confidential data and want to comply with certain regulations or you just don't want someone to create unnecessary costs on your AWS account, you should generally close S3 buckets off to the public. Let's go over some tips to boost S3 bucket security specifically and, with that, protect your cloud infrastructure generally.

Identify misconfigured S3 buckets

New AWS users often don't understand cloud business requirements or simply don't know how S3 works. These inexperienced users can misconfigure S3 buckets and change access control lists. This will subsequently open your S3 bucket to public access. To solve this, AWS made a search option available via AWS Management Console so users can easily identify unprotected S3 buckets within their accounts. There are also other tools and features you can use to protect S3 buckets.

Limit IAM permissions

To establish S3 bucket security, organizations can apply Identity and Access Management (IAM) frameworks and limit the number of users or groups with permissions to access the data in S3 buckets. When you apply the least-privilege principle, you ensure that everyone only has the access and resources necessary to do their particular job. This lessens the chance of human error and destructive changes in your cloud environment. Follow AWS IAM best practices, especially when you lock the root account and add multifactor authentication devices to each user. You can add another layer of security if you introduce restrictive S3 bucket policies, which enhance access control.

Set AWS Config rules

AWS Config audits various cloud configurations by monitoring and recording any changes in the environment. This tool shows you a detailed resource configuration history and lets administrators respond to any undesired changes with its configuration rules.

AWS Config can also help secure S3 buckets. In August 2017, Amazon added managed rules to Config that can protect buckets from public access. These rules -- s3-bucket-public-write-prohibited and s3-bucket-public-read-prohibited -- automatically scan for buckets that allow the public read or write access.

Use AWS Trusted Advisor

AWS Trusted Advisor inspects a given cloud environment with a goal to improve cost optimization, security, fault tolerance and performance. Its best practice checks monitor services. Use the Amazon S3 Bucket Permissions check, which scans for S3 buckets that were configured with open access permissions.

Add a layer of protection

In November 2018, AWS introduced S3 Block Public Access, which works at both the account and individual bucket level. This feature quickly blocks public access on all your existing buckets, which can be handy if you discover that some of them are compromised. However, you can also use this protection to prevent new buckets from being granted that type of access. Any account is susceptible to human error, so this feature alone will not protect you. But it will make mistakes less likely to happen in the first place.

Unless you have a specific case where you want S3 buckets open to the public -- such as an online repository document -- close buckets off, and properly secure them.

Dig Deeper on AWS infrastructure

App Architecture
Cloud Computing
Software Quality