AWS re:Invent 2022
Amazon S3 Security and Access Control Best Practices Stg301

Title

AWS re:Invent 2022 - Amazon S3 security and access control best practices (STG301)

Summary

  • Block Public Access: Enable block public access at the account level to prevent accidental public exposure of S3 buckets.
  • Data Encryption: Use default encryption for S3 objects and employ bucket keys to reduce costs associated with KMS encryption.
  • IAM Policies: Utilize IAM policies for granting permissions within an account and bucket policies for cross-account permissions.
  • Disable ACLs: Disable Access Control Lists (ACLs) for buckets to simplify permission management and ensure the bucket owner owns all objects.
  • Access Analyzer and Logging: Use Access Analyzer for S3 to review permissions and enable S3 Server Access Logs or AWS CloudTrail for auditing access patterns.

Insights

  • Security as a Priority: AWS emphasizes security as a top concern, and S3's design reflects this with features like block public access and encryption options.
  • Encryption Options: S3 offers multiple encryption options, including SSE-S3, SSE-KMS with customer-managed keys, and SSE-KMS with AWS-managed keys. The choice depends on the customer's security and compliance requirements.
  • IAM Role Assumption: IAM role assumption is a recommended practice for managing permissions across different environments, such as production, testing, and development.
  • Cross-Account Access: For sharing S3 data across accounts, it's best to use bucket policies to grant permissions, which is more scalable and manageable than individual ACLs.
  • S3 Access Points: Access points are a way to simplify access management for shared buckets by creating multiple namespaces with individual access point policies.
  • Disabling ACLs: The ability to disable ACLs for buckets is a new feature that simplifies permission management by ensuring the bucket owner owns all objects and permissions are governed by bucket policies.
  • Visibility and Auditing: Tools like Access Analyzer for S3 and logging features like S3 Server Access Logs and AWS CloudTrail are essential for reviewing permissions and auditing access to ensure compliance and security.
Amazon Route 53 Whats in a Domain Name a Lot Net206Amazons Culture of Innovation Ino102