What are the top 5 Amazon S3 storage security best practices?
Public bucket access is a prevalent and discussed S3 security issue. However, there are several other important security measures to take, including monitoring and MFA.
Storage security is a major concern for IT. Cloud storage -- specifically Amazon S3 -- can be particularly vulnerable if administrators aren't careful.
These five Amazon S3 storage security best practices -- including bucket settings and encryption -- stand out as the most important steps for admins.
1. Secure S3 buckets
The most common S3 storage security mistake organizations make is accidentally granting public access to buckets.
Access to S3 buckets is granted through an access control list (ACL). It is easy to accidentally configure these ACLs to enable public access. Fortunately, Amazon offers four settings to block public access:
Admins can apply these settings to individual buckets, access points, an AWS account or any combination of the three. If admins decide to block all public access to S3 buckets, Amazon recommends enabling all four settings by setting them to True.
2. Identity and access management
Identity and Access Management (IAM) controls S3 storage access. In general, adhere to least privilege access principles. Give users the bare minimum permissions that they need to do their jobs.
Amazon recommends that admins separate read, write and delete access into individual IAM roles. This S3 security process makes it easier to grant write or delete access solely to the users who require it, instead of giving all users full access.
As with any storage system, encrypt any data in S3. Two options are available to encrypt data: client-side and server-side encryption.
Server-side encryption is the simpler of the two options and encrypts data as it is written to AWS storage. Admins can base server-side encryption on an Amazon-managed key, a customer master key or a customer-provided key.
Client-side encryption is more difficult to implement but is the better S3 storage security choice for admins concerned about decrypted data. Client-side encryption encrypts the data before it is sent to AWS. The encryption keys are maintained outside of the Amazon cloud. This approach guarantees that Amazon cannot decrypt user data but also means that admins must be careful not to lose the encryption key.
4. Multi-factor authentication
Require multi-factor authentication (MFA) for anyone who accesses data stored in AWS. MFA prevents anyone from accessing data using stolen account credentials.
An additional form of authentication is necessary beyond just a username and password. Amazon supports three MFA mechanisms -- a virtual MFA device, a Fast ID Online security key or a hardware device that generates a six-digit, time-synchronized code.
Enable server access logging, which tracks S3 access requests. That way, admins can see who accessed S3 buckets and when.
Logging also helps admins to know if unauthorized users attempt to gain access to storage resources.