Amazon S3 Security Overview

User-Based Security

• IAM Policies: Define what S3 API calls an IAM user is allowed to make.

Resource-Based Security

• S3 Bucket Policies: Bucket-wide rules set from the S3 console to control access.
• Cross-Account Access: Allows users from another AWS account to access your S3 buckets.
• Public Access: S3 buckets can be made publicly accessible using bucket policies.

Access Control Lists (ACLs)

• Object ACLs: Fine-grained security at the object level, can be disabled.
• Bucket ACLs: Less common, controls access at the bucket level, can be disabled.
• Bucket Policies: The most common method for securing S3 buckets.

Access Permissions

• An IAM principal can access an S3 object if:
  • IAM permissions allow it.
  • Resource policies allow it.
  • There is no explicit deny in the action.

Encryption

• Secure S3 objects by encrypting them with encryption keys.

S3 Bucket Policy Structure

• JSON Document: Defines policies.
  • Resource: Specifies the buckets and objects the policy applies to.
  • Effect: Determines whether to Allow or Deny actions.
  • Action: Specifies the set of APIs allowed or denied.
  • Principal: Represents the account or user the policy applies to.

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Sid": "AllowSpecificGroupRead",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::123456789012:role/DataProcessingRole"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::my-secure-bucket/*" 
    },
    {
        "Sid": "DenyPublicWrites",
        "Effect": "Deny",
        "Principal": "*",
        "Action": [
            "s3:PutObject",
            "s3:PutObjectAcl"
        ],
        "Resource": "arn:aws:s3:::my-secure-bucket/*",
        "Condition": {
            "Bool": {
                "aws:SecureTransport": "false"
            }
        }
    }
  ]
}

Public Access Bucket Policy Example

• Allows website visitors to access files in an S3 bucket.