What's the best way to secure Amazon S3 buckets?
Our enterprise stores different types of data, including video and graphics, in Amazon S3. What options are available to secure Amazon S3 buckets and encrypt our data?
Amazon S3 buckets and objects are accessible from the Internet. The AWS security controls used to protect other resources, such as security groups and network access control lists, do not protect data in S3. But here are several ways to protect the confidentiality, integrity and availability of data in S3.
By default, objects created in Amazon Simple Storage Service (S3) are only accessible to the person who created them. Owners can grant access to others in both coarse-grained and fine-grained ways. An owner, for example, could make a data set publicly available so anyone with the URL to the object can access it.
Alternatively, owners can use S3 policies and Identity and Access Management users and groups to allow access to a limited set of users. S3 policies can also restrict operations based on network connection properties. If you want only users on your corporate network to access objects in S3, specify that all connections come from a range of trusted IP addresses. Attempts to access objects from other addresses would be denied.
If you want to ensure data that has been downloaded from S3 is encrypted, deny access to any connection that is not SSL encrypted.
Encrypting data in Amazon S3 buckets
There are a few ways to implement encryption at rest in S3. If you use AWS Key Management Service, you can use server-side encryption and allow Amazon Web Services (AWS) to manage the encryption keys. To manage your own keys, you'll need to use server-side encryption keys and manage them in-house. The third option is to encrypt data before sending it to AWS. In this scenario, you manage all aspects of the encryption process.
Auditing is an important security process for protecting data in S3. Storage administrators can configure Amazon S3 buckets to log details of all requests that are made to a particular bucket. They can then store the log files in other Amazon S3 buckets with different access control permissions to minimize the chance of tampering.