Amazon S3 Security Flashcards
(13 cards)
SSE-S3 encryption
Server side encryption using keys handled, managed and owned by AWS. Enabled by default
SSE-KMS encryption
Encryption using keys handled and managed by AWS Key Management Service, allows for user control and audit key usage using CloudTrail (but may be impacted by KMS limits)
SSE-C encryption
Server Side Encryption using keys fully managed by the customer outside of AWS, amazon S3 does not store the encryption key you provide
Client Side Encryption
Use client libraries eg. Amazon S3 Client-Side Encryption library, clients must encrypt/decrypt data themselves before sending/receiving to and from Amazon S3
Why is HTTPS recommended for Amazon S3?
Data is encrypted in flight between you and target server
How can you force encryption on S3 objects?
Use bucket policy and refuse any API call to PUT an s3 object without encryption headers
Are bucket policies evaluated before or after s3 default encryption?
Before
What doe we need to enable if a client makes a cross-origin request on our S3 bucket?
Need to enable the correct CORS headers, you can allow for a specific origin or for * (all origins)
MFA delete
Extra protection where MFA will be required to permanently delete an object version or suspend versioning (enabled by root user)
S3 access logs
Any request made to S3 can be logged into another S3 bucket that must be in same AWS region
Pre-signed URLs
Users given a presigned URL inherit the permissions of the user that generated the URL for GET / PUT, eg give temporary access to one file for 5 mins
S3 access points
Allows you to create unique access control policies for different applications or teams using custom hostnames, without needing to manage policies directly on the bucket
S3 Object Lambda
Use Lambda functions to change object before it is retrieved by caller application eg. redact PII for analytics
