Do you or your company use Amazon Web Services (AWS) S3 to store data used for your applications? Then you’re going to want to make sure you secure and control access to that data. That way it’s not accessible by attackers! In this series of articles, I help explain how to secure your AWS S3 resources.
Check out our related YouTube video:
Controlling Access To S3
Setting Default Accessibility Options For Entire Account
The very first thing you’ll want to do is make the data accessible to only the people and processes that NEED access to it. In the majority of cases, this means making it inaccessible to everyone on the internet. You’ve probably seen stories of data in S3 being exposed to the whole internet due to faulty permissions (or no restrictions at all).
There may be reasons why you want your S3 bucket to be publicly accessible, such as when hosting a static website. So you need to verify which buckets should be kept openly accessible and which can be marked private. Marking a bucket as publicly inaccessible can break applications that need the public access. Be sure to note which ones are which before proceeding to the next step which will lock down all buckets in an account.
The first thing to do is set the account settings to block internet access to your S3 buckets by default. To do that, visit Block public access (account settings), and if Block all public access
is set to Off
, click Edit and then click to select all checkboxes and then click Save Changes
. This will make all current buckets private and then make the default for future buckets to be private as well. This is a great default option if a majority of buckets in your account will be publicly inaccessible. If you have more buckets needing public access than not, the next section will be a better option.
Setting Accessibility Options When Creating a Bucket
When first creating a new AWS S3 bucket, on the Set Permissions
screen during the setup configuration, you want to make sure to select the Block all public access
option to disable all public access to objects in that S3 bucket. A screenshot of what this looks like is as follows:
This will block all access to the S3 bucket by default except for the account that created it. This means no services, applications, etc that need data from this bucket can see it now without using an AWS IAM policy or by utilizing AWS IAM roles.
Setting Accessibility Options For Specific Buckets
You can update settings for existing buckets if you have already created S3 buckets you need to secure. First, visit the list of S3 buckets you have created by visiting the AWS S3 Console and selecting the bucket to update. Once the selected bucket is opened, visit the Permissions Tab as shown in the screenshot below. Then click on Block Public Access. Now, click on the Edit button on the right-hand side of the screen.
Make sure Block all public access is checked and click Save on the right side of your screen.
This sets your S3 bucket to be inaccessible from any process, application, and user that does not have explicit permissions. This could have broken some applications or processes that may have been able to see those resources before. DON’T FRET! All you need to do now is set up an IAM policy specifying the exact actions and resources you wish to allow access to. Then attach it to an AWS IAM Role, and grant each process and application access using that role. Check out Assume an IAM Role via AWS CLI on how to do this via the CLI. Another good read is Creating a Role to Delegate Permissions to an IAM User.
You can also create an IAM policy for specific IAM users. Do this by also creating an IAM Group, attaching the IAM policy, and assigning the specified users to that group.
Conclusion
You should now be able to manage access to your S3 buckets to only allow access to authorized users and processes. Part 2 of this blog series goes over different encryption options for your S3 resources to keep your data confidential. So go check that out as well!