Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What's the best way to secure Amazon S3 buckets?

Our enterprise stores different types of data, including video and graphics, in Amazon S3. What options are available to secure Amazon S3 buckets and encrypt our data?

Amazon S3 buckets and objects are accessible from the Internet. The AWS security controls used to protect other...

resources, such as security groups and network access control lists, do not protect data in S3. But here are several ways to protect the confidentiality, integrity and availability of data in S3.

By default, objects created in Amazon Simple Storage Service (S3) are only accessible to the person who created them. Owners can grant access to others in both coarse-grained and fine-grained ways. An owner, for example, could make a data set publicly available so anyone with the URL to the object can access it.

Alternatively, owners can use S3 policies and Identity and Access Management users and groups to allow access to a limited set of users. S3 policies can also restrict operations based on network connection properties. If you want only users on your corporate network to access objects in S3, specify that all connections come from a range of trusted IP addresses. Attempts to access objects from other addresses would be denied.

If you want to ensure data that has been downloaded from S3 is encrypted, deny access to any connection that is not SSL encrypted.

Encrypting data in Amazon S3 buckets

There are a few ways to implement encryption at rest in S3. If you use AWS Key Management Service, you can use server-side encryption and allow Amazon Web Services (AWS) to manage the encryption keys. To manage your own keys, you'll need to use server-side encryption keys and manage them in-house. The third option is to encrypt data before sending it to AWS. In this scenario, you manage all aspects of the encryption process.

Auditing is an important security process for protecting data in S3. Storage administrators can configure Amazon S3 buckets to log details of all requests that are made to a particular bucket. They can then store the log files in other Amazon S3 buckets with different access control permissions to minimize the chance of tampering.

Next Steps

Manage AWS security controls

AWS wins trust of enterprises with security features

AWS Key Management Service encrypts cloud data

This was last published in November 2015

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

An admin's guide to AWS data management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your enterprise secure data in Amazon S3 buckets?
Cancel

-ADS BY GOOGLE

SearchCloudApplications

TheServerSide

SearchSoftwareQuality

SearchCloudComputing

Close