13 best practices before deploying AWS S3 buckets in production

AWS S3 stands for Simple Storage Service. It’s an object storage service that stores data as objects. It’s designed to provide 99.999999999% durability and 99.99% availability of objects over a given year.

In the past there have been many security incidents about S3 data exposure to public and since then AWS made a ton of changes and added more security features.

Few security incidents related to S3 breach : https://github.com/nagwww/s3-leaks

AWS S3 best security practices:

  1. Bucket Policy (Implement least privilege access)

1.Bucket Policy (Implement least privilege access)

  • Use S3 bucket policies and make sure you allow only required operations only (get/put etc).
Enable Block Public Access
  • Make sure that we do not use wildcard identity such as Principal “*” (which effectively means “anyone”) or allows a wildcard action “*” (which effectively allows the user to perform any action in the Amazon S3 bucket).

AWS Doc → https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

** Highly recommend to use IAM roles with temporary credentials and session token instead of IAM users with static credentials. For on-premises try using IAM Roles anywhere (Recently released).

2. Encryption of data at rest and transit:

  • Enable Server-side Encryption and Client-side encryption.

AWS Doc → https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/

3. MFA Delete and S3 object level locking :

  • For critical buckets such as Cloudtrail logs/ Config logs you can enable MFA for object deletion. This is to make sure we don’t have accidental deletion of objects.

AWS Doc → https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html

** In general, it’s recommended to enable Control tower and forward all critical logs to locked down AWS accounts.

4. S3 Lifecycle Policies:

  • Bucket lifecycle policies can be set and it make sure that objects are getting deleted if not needed.

AWS Doc → https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html

5. S3 Object logging:

  • Object logging is needed for critical buckets to analyze any anomalies or track all S3 API operations.

AWS Doc → https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html

6. Versioning (keeping multiple variants of an object in the same bucket):

  • Versioning-enabled buckets can help you recover objects from accidental deletion or overwrite. For example, if you delete an object, Amazon S3 inserts a delete marker instead of removing the object permanently. The delete marker becomes the current object version. If you overwrite an object, it results in a new object version in the bucket. You can always restore the previous version. For more information, see Deleting object versions from a versioning-enabled bucket.

AWS Doc → https://docs.aws.amazon.com/AmazonS3/latest/userguide/versioning-workflows.html

7. S3 Monitoring:

  • S3 buckets monitoring to check critical metrics e.g — total objects, Total storage in-use.

Doc → https://docs.aws.amazon.com/AmazonS3/latest/userguide/monitoring-overview.html

8. S3 Pre-signed URL’s:

  • S3 objects are private by default. Only the object owner has permission to access them. However, the object owner can optionally share objects with others by creating a presigned URL, using their own security credentials, to grant time-limited permission to download the objects.

CLI : https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3/presign.html

Example : To create a pre-signed URL with a custom lifetime that links to an object in an S3 bucket

The following presign command generates a pre-signed URL for a specified bucket and key that is valid for one week.

aws s3 presign s3://DOC-EXAMPLE-BUCKET/test2.txt \
--expires-in 604800



9. Enable S3 Guardduty Protection :

  • It monitor object-level API operations to identify potential security risks for data within your S3 buckets. This is to make sure that bucket is reached out by sane IP addresses and not accessed by malicious actors.

AWS Doc → https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html

10. S3 Macie (Sensitive data discovery and protection at scale):

  • Macie automates the discovery of sensitive data, such as personally identifiable information (PII) and financial data, to provide you with a better understanding of the data that your organization stores in Amazon Simple Storage Service (Amazon S3)

AWS Doc → https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html

11. S3 Gateway Endpoint:

  • Gateway endpoints provide reliable connectivity to Amazon S3 without requiring an internet gateway or a NAT device for your VPC. Gateway endpoints do not enable AWS PrivateLink. Amazon S3 supports both gateway endpoints and interface endpoints.
Source — AWS
  • When you create a gateway endpoint, you select the VPC route tables for the subnets that you enable. The following route is automatically added to each route table that you select. The destination is a prefix list for the service owned by AWS and the target is the gateway endpoint.

AWS Doc → https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html

12. Monitor S3 buckets policy alterations:

  • For critical buckets with sensitive data, make sure you monitor S3 bucket properties change and set alerts for it. Example : Cloudwatch event can detect and notify via SNS for any S3 bucket policy changes. You can accomplish same with your CSPM tool or centralized SIEM.

Doc (example) → https://asecure.cloud/a/detect-s3-bucket-policy-changes/

13. Other tips:

  • Use IAM Access analyzer to analyze S3 bucket permissions.

If this post was helpful, please click the clap 👏 button below a few times to show your support for the author 👇



Working as Cloud lead/Architect with security mindset

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store