AWS S3 Security Best Practices & Tips

5 mins to read

Amazon Web Services (AWS) S3 has emerged as a leading object storage service. Known for its simplicity, it allows organizations to store, access, and retrieve data globally via a web interface. Popular among developers, AWS S3 facilitates a range of functions from adding metadata to objects and managing data across storage classes, to conducting big data analytics.

However, its popularity doesn’t shield it from security risks. Misconfigurations, excessive S3 permissions, and overlooked bucket policies can lead to data breaches. Gartner highlighted that through 2022, 95 percent of cloud security failures would be due to customer errors. Luckily, enterprises can control their end of the AWS shared responsibility model.

The following blog will review S3 security best practices and first steps to take when leveraging the service. Let’s first outline the risks your storage service might face.

Common Risks in Cloud Storage

Before we dive into best practices, let’s take a quick look at some common risks faced in cloud storage, particularly with AWS S3:

  • Public Access Misconfiguration: Improperly configured access settings can lead to unauthorized access to your S3 buckets, potentially exposing sensitive data to the public.
  • Inadequate Access Controls: Insufficient access controls may result in unauthorized users gaining access to your S3 buckets, compromising data confidentiality and integrity.
  • Exposed Logging and Monitoring Data: Misconfigurations in logging and monitoring settings might inadvertently expose critical information about your cloud environment.
  • Data Overexposure: Data intended for internal use can become accessible to unauthorized parties due to misconfigurations, leading to potential data leaks.
  • Unencrypted Data: Leaving data unencrypted can expose it to potential interception and unauthorized access.

To better understand the risks associated with AWS S3 and explore best practices to mitigate them, consider AWS security tools, dedicated to securing AWS services.

s3 ad

Best Practices To Secure Your S3 Buckets  

1. Block Public Access to S3

By default, S3 buckets are not publicly accessible. It’s crucial to keep them private unless public access is necessary. Use the S3 Block Public Access settings to prevent public exposure, regardless of how the resources are created. These settings allow administrators to centralize control and ensure maximum protection.

2. Identify Bucket Policies that Allow Wildcard IDs

Be wary of S3 bucket policies with wildcards in Principal or action fields like ‘*’, which can grant extensive access. Regularly check and update policies to ensure they grant access to specific, non-wildcard entities like certain AWS Users, Principals, Service Principals, or IP ranges (CIDRs).

According to AWS, this may include one or more of the following: 

  • A set of Classless Inter-Domain Routings (CIDRs) using aws:SourceIp
  • An AWS User, Principal, or Service Principal
  • aws:SourceArn
  • aws:SourceVpc
  • aws:SourceVpce
  • aws:SourceOwner
  • aws:SourceAccount
  • s3:x-amz-server-side-encryption-aws-kms-key-id
  • aws:userid, outside the pattern “AROLEID:*”
  • s3:DataAccessPointArn

3. Inspect Implementations with Tools

Employ tools like AWS Trusted Advisor for an initial assessment of your S3 setup. For ongoing monitoring and advanced analysis, consider AWS Config rules like s3-bucket-public-read-prohibited and s3-bucket-public-write-prohibited. Additionally, tools like Sonrai can provide deeper insights and help enforce security controls.

4. Enable Multi-factor Authentication (MFA) Delete

Enhance your bucket security by enabling Multi-factor Authentication (MFA) Delete. This feature requires additional authentication for permanently deleting an object version or changing the bucket’s versioning state, adding an extra layer of security.

When a bucket is MFA Delete-enabled, a bucket owner must include the ‘x-amz-mfa’ request header in requests to permanently delete an object version or change the bucket’s versioning state.

In addition, requests that include ‘x-amz-mfa’ are required to include HTTPS. A header’s value contains an authentication device’s serial number, authentication code, and a space. Failure to include this information in the request header will result in a failed request. 

5. Encrypt Everything

Ensure all data is encrypted in transit and at rest. Utilize client-side encryption or SSL/TLS for secure data transmission to and from S3. Data stored on S3 should always be encrypted to safeguard it from unauthorized access.

6. Use S3 Object Lock

Use S3 Object Lock for a write-once read-many (WORM) model. This protects your objects from being overwritten or deleted for a specified duration or indefinitely, adding robustness to your data integrity.

7. Enable Versioning 

Versioning safeguards your data against unintended user actions and application failures. It allows AWS to store all versions of an object, ensuring data durability and recovery options.

8. Use Multi-Region Application 

Utilize AWS’s Multi-Region Application Architecture for fault-tolerant applications. This setup uses S3 Cross-Region replication and DynamoDB Global Tables for asynchronous data replication across primary and secondary regions, enhancing disaster recovery capabilities.

9. Enforce Least Privilege Access

Minimize unauthorized access risks by enforcing least privilege access. Use AWS tools like IAM user policies, Permissions Boundaries, S3 bucket policies, bucket ACLs, and Service Control Policies. Additionally, maintain a thorough record of all identities with access to your S3 resources.

Learn How Sonrai Enforces Least Privilege.

Where to Start in Securing S3 buckets?

Identify and audit all your AWS S3 buckets

Utilize Amazon’s Tag Editor for tagging S3 resources that are crucial for security and audits. Consider employing AWS S3 inventory for detailed audits on the replication and encryption status of your objects, crucial for compliance and regulatory requirements. Additionally, create resource groups specifically for your Amazon S3 resources to manage and audit them effectively.

Implement monitoring using monitoring tools

Leverage AWS services such as CloudWatch to monitor key metrics of Amazon S3, like PutRequests, GetRequests, 4xxErrors, and DeleteRequests. These metrics are vital for maintaining the security, availability, and performance of your S3 resources.

Enable Amazon S3 server access logging

Activate server access logging for your buckets to obtain detailed records of requests. This information is essential for security and access audits, providing insights into user interactions and potential security incidents.

Use AWS CloudTrail

CloudTrail offers detailed logs of actions taken in your S3 bucket, including request types, IP addresses, and the identity of the requester. Set up a trail in the CloudTrail console to continuously record activities. Configure CloudTrail to log specific S3 data events like GetObject, DeleteObject, and PutObject, which are crucial for monitoring and auditing object-level interactions. Use the AWS Config managed rule ‘cloudtrail-s3-dataevents-enabled’ to verify that CloudTrail is logging these data events.

Enable AWS Config

Implement AWS Config to assess, audit, and evaluate the configurations of your AWS resources against your desired secure configurations. AWS Config is instrumental in tracking configuration changes and relationships between resources, enabling detailed investigations into resource configuration histories and overall compliance with internal standards.

Cover S3 Security Gaps with Sonrai

Sonrai Security is a Cloud IAM platform that graphs all possible connections between cloud identities, their permissions, and their access to sensitive applications, data, and services like S3. The best way to protect S3 buckets and the service overall beyond correct configurations, is managing access to the service.

The Sonrai Platform keeps an ongoing inventory of every identity with access to S3 and knows exactly what actions they are able to take. The platform alerts you to any unintended or dangerous access risks so your teams can remediate. See the platform solution below.

s3 permissions cta


Q: What are some common risks and threats to S3 bucket security?

A: Common risks include public access misconfiguration, inadequate access controls, exposed logging and monitoring data, data overexposure, and unencrypted data.

Q: How can I protect my S3 buckets?

A: You can protect your S3 buckets by following best practices, such as blocking public access, enabling encryption, using access controls, and monitoring your buckets’ configurations.

Q: What is an AWS S3 bucket ACL (Access Control List)?

A: An AWS S3 bucket ACL is a set of permissions that control which AWS accounts or users can access the bucket and what actions they can perform on the objects within it.

Q: Why is an AWS S3 bucket ACL important for security?

A: An AWS S3 bucket ACL is crucial for security as it ensures that only authorized users and services have access to your bucket, reducing the risk of data breaches and unauthorized access.

Q: Are there any tools that can help me enforce security best practices for S3 buckets?

A: Yes, tools like the Sonrai Security Platform can help you enforce security best practices, identify risks, and enhance your S3 bucket security.