Security best practices for Amazon S3 - Amazon Simple Storage Service
<!DOCTYPE html> <html xmlns="" lang="en-US"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Security best practices for Amazon S3 - Amazon Simple Storage Service</title><meta name="viewport" content="width=device-width,initial-scale=1" /><meta name="assets_root" content="/assets" /><meta name="target_state" content="security-best-practices" /><meta name="default_state" content="security-best-practices" /><link rel="icon" type="image/ico" href="/assets/images/favicon.ico" /><link rel="shortcut icon" type="image/ico" href="/assets/images/favicon.ico" /><link rel="canonical" href="" /><meta name="description" content="Learn about guidelines and best practices for addressing security issues in Amazon S3." /><meta name="deployment_region" content="IAD" /><meta name="product" content="Amazon Simple Storage Service" /><meta name="guide" content="User Guide" /><meta name="abstract" content="Learn how to use Amazon Simple Storage Service (Amazon S3) to store and retrieve any amount of data from anywhere. This guide explains Amazon S3 concepts, such as buckets, objects, and related configurations, and includes code examples for common operations." /><meta name="guide-locale" content="en_us" /><meta name="tocs" content="toc-contents.json" /><link rel="canonical" href="" /><link rel="alternative" href="" hreflang="id-id" /><link rel="alternative" href="" hreflang="id" /><link rel="alternative" href="" hreflang="de-de" /><link rel="alternative" href="" hreflang="de" /><link rel="alternative" href="" hreflang="en-us" /><link rel="alternative" href="" hreflang="en" /><link rel="alternative" href="" hreflang="es-es" /><link rel="alternative" href="" hreflang="es" /><link rel="alternative" href="" hreflang="fr-fr" /><link rel="alternative" href="" hreflang="fr" /><link rel="alternative" href="" hreflang="it-it" /><link rel="alternative" href="" hreflang="it" /><link rel="alternative" href="" hreflang="ja-jp" /><link rel="alternative" href="" hreflang="ja" /><link rel="alternative" href="" hreflang="ko-kr" /><link rel="alternative" href="" hreflang="ko" /><link rel="alternative" href="" hreflang="pt-br" /><link rel="alternative" href="" hreflang="pt" /><link rel="alternative" href="" hreflang="zh-cn" /><link rel="alternative" href="" hreflang="zh-tw" /><link rel="alternative" href="" hreflang="x-default" /><meta name="feedback-item" content="S3" /><meta name="this_doc_product" content="Amazon Simple Storage Service" /><meta name="this_doc_guide" content="User Guide" /><script defer="" src="/assets/r/vendor4.js?version=2021.12.02"></script><script defer="" src="/assets/r/vendor3.js?version=2021.12.02"></script><script defer="" src="/assets/r/vendor1.js?version=2021.12.02"></script><script defer="" src="/assets/r/awsdocs-common.js?version=2021.12.02"></script><script defer="" src="/assets/r/awsdocs-doc-page.js?version=2021.12.02"></script><link href="/assets/r/vendor4.css?version=2021.12.02" rel="stylesheet" /><link href="/assets/r/awsdocs-common.css?version=2021.12.02" rel="stylesheet" /><link href="/assets/r/awsdocs-doc-page.css?version=2021.12.02" rel="stylesheet" /><script async="" id="awsc-panorama-bundle" type="text/javascript" src="" data-config="{'appEntity':'aws-documentation','region':'us-east-1','service':'s3'}"></script><meta id="panorama-serviceSubSection" value="User Guide" /><meta id="panorama-serviceConsolePage" value="Security best practices for Amazon S3" /></head><body class="awsdocs awsui"><div class="awsdocs-container"><awsdocs-header></awsdocs-header><awsui-app-layout id="app-layout" class="awsui-util-no-gutters" ng-controller="ContentController as $ctrl" header-selector="awsdocs-header" navigation-hide="false" navigation-width="$ctrl.navWidth" navigation-open="$ctrl.navOpen" navigation-change="$ctrl.onNavChange($event)" tools-hide="$ctrl.hideTools" tools-width="$ctrl.toolsWidth" tools-open="$ctrl.toolsOpen" tools-change="$ctrl.onToolsChange($event)"><div id="guide-toc" dom-region="navigation"><awsdocs-toc></awsdocs-toc></div><div id="main-column" dom-region="content" tabindex="-1"><awsdocs-view class="awsdocs-view"><div id="awsdocs-content"><head><title>Security best practices for Amazon S3 - Amazon Simple Storage Service</title><meta name="pdf" content="/pdfs/AmazonS3/latest/userguide/s3-userguide.pdf#security-best-practices" /><meta name="rss" content="s3-userguide-rss-updates.rss" /><meta name="forums" content="" /><meta name="feedback" content="" /><meta name="feedback-yes" content="feedbackyes.html?topic_url=" /><meta name="feedback-no" content="feedbackno.html?topic_url=" /><meta name="keywords" content="S3,Amazon S3,S3 User Guide,Amazon S3 User Guide,Amazon User Guide,s3 bucket,s3 object,cloud storage,data storage,cloud security,AWS Amazon S3 security,Amazon S3 ownership and compliance,securing your S3 data,guidelines to secure your S3 data" /><script type="application/ld+json"> { "@context" : "", "@type" : "BreadcrumbList", "itemListElement" : [ { "@type" : "ListItem", "position" : 1, "name" : "AWS", "item" : "" }, { "@type" : "ListItem", "position" : 2, "name" : "Amazon Simple Storage Service (S3)", "item" : "" }, { "@type" : "ListItem", "position" : 3, "name" : "User Guide", "item" : "" }, { "@type" : "ListItem", "position" : 4, "name" : "Security in Amazon S3", "item" : "" }, { "@type" : "ListItem", "position" : 5, "name" : "Security best practices for Amazon S3", "item" : "" } ] } </script></head><body><div id="main"><div style="display: none"><a href="/pdfs/AmazonS3/latest/userguide/s3-userguide.pdf#security-best-practices" target="_blank" rel="noopener noreferrer" title="Open PDF"></a></div><div id="breadcrumbs" class="breadcrumb"><a href="/index.html">Documentation</a><a href="/s3/index.html">Amazon Simple Storage Service (S3)</a><a href="Welcome.html">User Guide</a></div><div id="page-toc-src"><a href="#security-best-practices-prevent">Amazon S3 security best practices</a><a href="#security-best-practices-detect">Amazon S3 monitoring and auditing best practices</a><a href="#monitoring-data-security">Monitoring data security</a></div><div id="main-content" class="awsui-util-container"><div id="main-col-body"><awsdocs-language-banner data-service="$ctrl.pageService"></awsdocs-language-banner><h1 class="topictitle" id="security-best-practices">Security best practices for Amazon S3</h1><div class="awsdocs-page-header-container"><awsdocs-page-header></awsdocs-page-header><awsdocs-filter-selector id="awsdocs-filter-selector"></awsdocs-filter-selector></div><p>Amazon S3 provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don't represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful recommendations rather than prescriptions. </p><div class="highlights" id="inline-topiclist"><h6>Topics</h6><ul><li><a href="#security-best-practices-prevent">Amazon S3 security best practices</a></li><li><a href="#security-best-practices-detect">Amazon S3 monitoring and auditing best practices</a></li><li><a href="#monitoring-data-security">Monitoring data security with managed AWS security services</a></li></ul></div> <h2 id="security-best-practices-prevent">Amazon S3 security best practices</h2> <p>The following best practices for Amazon S3 can help prevent security incidents.</p> <div class="variablelist"> <dl> <dt><b><span class="term"><div id="disable-acls" xreflabel="Disable access control lists (ACLs)"></div>Disable access control lists (ACLs)</span></b></dt> <dd> <p>S3 Object Ownership is an Amazon S3 bucket-level setting that you can use to control ownership of objects uploaded to your bucket and to disable or enable ACLs. By default, Object Ownership is set to the Bucket owner enforced setting and all ACLs are disabled. When ACLs are disabled, the bucket owner owns all the objects in the bucket and manages access to data exclusively using access management policies. </p> <p>A majority of modern use cases in Amazon S3 no longer require the use of <a href="./acl-overview.html">access control lists (ACLs)</a>. We recommend that you disable ACLs, except in unusual circumstances where you must control access for each object individually. To disable ACLs and take ownership of every object in your bucket, apply the bucket owner enforced setting for S3 Object Ownership. When you disable ACLs, you can easily maintain a bucket with objects uploaded by different AWS accounts. </p> <p>When ACLs are disabled access control for your data is based on policies, such as the following: </p> <div class="itemizedlist"> <ul class="itemizedlist"><li class="listitem"> <p>AWS Identity and Access Management (IAM) user policies</p> </li><li class="listitem"> <p>S3 bucket policies</p> </li><li class="listitem"> <p>Virtual private cloud (VPC) endpoint policies</p> </li><li class="listitem"> <p>AWS Organizations service control policies (SCPs)</p> </li><li class="listitem"> <p>AWS Organizations resource control policies (RCPs)</p> </li></ul></div> <p></p> <p>Disabling ACLs simplifies permissions management and auditing. ACLs are disabled for new buckets by default. You can also disable ACLs for existing buckets. If you have an existing bucket that already has objects in it, after you disable ACLs, the object and bucket ACLs are no longer part of the access-evaluation process. Instead, access is granted or denied on the basis of policies. </p> <p>Before you disable ACLs, make sure that you do the following: </p> <div class="itemizedlist"> <ul class="itemizedlist"><li class="listitem"> <p>Review your bucket policy to ensure that it covers all the ways that you intend to grant access to your bucket outside of your account.</p> </li><li class="listitem"> <p>Reset your bucket ACL to the default (full control to the bucket owner).</p> </li></ul></div> <p></p> <p>After you disable ACLs, the following behaviors occur: </p> <div class="itemizedlist"> <ul class="itemizedlist"><li class="listitem"> <p>Your bucket accepts only <code class="code">PUT</code> requests that do not specify an ACL or <code class="code">PUT</code> requests with bucket owner full control ACLs. These ACLs include the <code class="code">bucket-owner-full-control</code> canned ACL or equivalent forms of this ACL that are expressed in XML.</p> </li><li class="listitem"> <p>Existing applications that support bucket owner full control ACLs see no impact. </p> </li><li class="listitem"> <p><code class="code">PUT</code> requests that contain other ACLs (for example, custom grants to certain AWS accounts) fail and return an HTTP status code <code class="code">400 (Bad Request)</code> with the error code <code class="code">AccessControlListNotSupported</code>.</p> </li></ul></div> <p> </p> <p>For more information, see <a href="./about-object-ownership.html">Controlling ownership of objects and disabling ACLs for your bucket</a>.</p> </dd> <dt><b><span class="term"><div id="public" xreflabel="Ensure Amazon S3 buckets are not publicly accessible"></div>Ensure that your Amazon S3 buckets use the correct policies and are not publicly accessible</span></b></dt> <dd> <p>Unless you explicitly require anyone on the internet to be able to read or write to your S3 bucket, make sure that your S3 bucket is not public. The following are some of the steps that you can take to block public access:</p> <div class="itemizedlist"> <ul class="itemizedlist"><li class="listitem"> <p>Use S3 Block Public Access. With S3 Block Public Access, you can easily set up centralized controls to limit public access to your Amazon S3 resources. These centralized controls are enforced regardless of how the resources are created. For more information, see <a href="./access-control-block-public-access.html">Blocking public access to your Amazon S3 storage</a>.</p> </li><li class="listitem"> <p>Identify Amazon S3 bucket policies that allow a wildcard identity such as <code class="code">"Principal": "*"</code> (which effectively means "anyone"). Also look for policies that allow a wildcard action <code class="code">"*"</code> (which effectively allows the user to perform any action in the Amazon S3 bucket).</p> </li><li class="listitem"> <p>Similarly, look for Amazon S3 bucket access control lists (ACLs) that provide read, write, or full-access to "Everyone" or "Any authenticated AWS user." </p> </li><li class="listitem"> <p>Use the <code class="code">ListBuckets</code> API operation to scan all of your Amazon S3 buckets. Then use <code class="code">GetBucketAcl</code>, <code class="code">GetBucketWebsite</code>, and <code class="code">GetBucketPolicy</code> to determine whether each bucket has compliant access controls and a compliant configuration.</p> </li><li class="listitem"> <p>Use <a href="">AWS Trusted Advisor</a> to inspect your Amazon S3 implementation.</p> </li><li class="listitem"> <p>Consider implementing ongoing detective controls by using the <a href="">s3-bucket-public-read-prohibited</a> and <a href="">s3-bucket-public-write-prohibited</a> managed AWS Config Rules.</p> </li></ul></div> <p>For more information, see <a href="./security-iam.html">Identity and Access Management for Amazon S3</a>. </p> </dd> <dt><b><span class="term"><div id="least" xreflabel="Implement least privilege access"></div>Implement least privilege access</span></b></dt> <dd> <p>When granting permissions, you decide who is getting what permissions to which Amazon S3 resources. You enable specific actions that you want to allow on those resources. Therefore, we recommend that you grant only the permissions that are required to perform a task. Implementing least privilege access is fundamental in reducing security risk and the impact that could result from errors or malicious intent. </p> <p>The following tools are available to implement least privilege access:</p> <div class="itemizedlist"> <ul class="itemizedlist"><li class="listitem"> <p><a href="./security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-actions">Policy actions for Amazon S3</a> and <a href="">Permissions Boundaries for IAM Entities</a></p> </li><li class="listitem"> <p><a href="./security_iam_service-with-iam.html">How Amazon S3 works with IAM</a></p> </li><li class="listitem"> <p><a href="./acl-overview.html">Access control list (ACL) overview</a></p> </li></ul></div> <p>For guidance on what to consider when choosing one or more of the preceding mechanisms, see <a href="./security-iam.html">Identity and Access Management for Amazon S3</a>.</p> </dd> <dt><b><span class="term"><div id="roles" xreflabel="Use IAM roles"></div>Use IAM roles for applications and AWS services that require Amazon S3 access</span></b></dt> <dd> <p>In order for applications running on Amazon EC2 or other AWS services to access Amazon S3 resources, they must include valid AWS credentials in their AWS API requests. We recommend not storing AWS credentials directly in the application or Amazon EC2 instance. These are long-term credentials that are not automatically rotated and could have a significant business impact if they are compromised.</p> <p>Instead, use an IAM role to manage temporary credentials for applications or services that need to access Amazon S3. When you use a role, you don't have to distribute long-term credentials (such as a username and password or access keys) to an Amazon EC2 instance or AWS service, such as AWS Lambda. The role supplies temporary permissions that applications can use when they make calls to other AWS resources.</p> <p>For more information, see the following topics in the <em>IAM User Guide</em>:</p> <div class="itemizedlist"> <ul class="itemizedlist"><li class="listitem"> <p><a href="">IAM Roles</a></p> </li><li class="listitem"> <p><a href="">Common Scenarios for Roles: Users, Applications, and Services</a></p> <p></p> </li></ul></div> </dd> <dt><b><span class="term"><div id="server-side" xreflabel="Implement server-side encryption"></div>Consider encryption of data at rest</span></b></dt> <dd> <p>You have the following options for protecting data at rest in Amazon S3:</p> <div class="itemizedlist"> <ul class="itemizedlist"><li class="listitem"> <p><b>Server-side encryption</b> – All Amazon S3 buckets have encryption configured by default, and all new objects that are uploaded to an S3 bucket are automatically encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) is the default encryption configuration for every bucket in Amazon S3. To use a different type of encryption, you can either specify the type of server-side encryption to use in your S3 <code class="code">PUT</code> requests, or you can set the default encryption configuration in the destination bucket. </p> <p>Amazon S3 also provides these server-side encryption options:</p> <div class="itemizedlist"> <ul class="itemizedlist"><li class="listitem"> <p>Server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) </p> </li><li class="listitem"> <p>Dual-layer server-side encryption with AWS Key Management Service (AWS KMS) keys (DSSE-KMS)</p> </li><li class="listitem"> <p>Server-side encryption with customer-provided keys (SSE-C)</p> </li></ul></div> <p>For more information, see <a href="./serv-side-encryption.html">Protecting data with server-side encryption</a>.</p> </li><li class="listitem"> <p><b>Client-side encryption</b> – Encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools. As with server-side encryption, client-side encryption can help reduce risk by encrypting the data with a key that is stored in a different mechanism than the mechanism that stores the data itself. </p> <p>Amazon S3 provides multiple client-side encryption options. For more information, see <a href="./UsingClientSideEncryption.html">Protecting data by using client-side encryption</a>.</p> </li></ul></div> </dd> <dt><b><span class="term"><div id="transit" xreflabel="Enforce encryption of data in transit"></div>Enforce encryption of data in transit</span></b></dt> <dd> <p>You can use HTTPS (TLS) to help prevent potential attackers from eavesdropping on or manipulating network traffic by using person-in-the-middle or similar attacks. We recommend allowing only encrypted connections over HTTPS (TLS) by using the <a href="">aws:SecureTransport</a> condition in your Amazon S3 bucket policies. For more information, see the example S3 bucket policy <a href="">Managing access based on HTTP or HTTPS requests</a>. In addition to denying HTTP requests, we recommend that you set Amazon CloudWatch alarms on <code class="code">tlsDetails.tlsVersion NOT EXISTS</code> that alert you if HTTP access attempts are made on your content. For more information on how to configure Amazon CloudWatch alarms, see <a href="">Creating CloudWatch alarms for CloudTrail events: examples</a> and <a href="">CloudTrail record contents</a> in the <em>AWS CloudTrail User Guide</em>.</p> <div class="awsdocs-note awsdocs-important"><div class="awsdocs-note-title"><awsui-icon name="status-warning" variant="error"></awsui-icon><h6>Important</h6></div><div class="awsdocs-note-text"><p>We recommend that your application not pin Amazon S3 TLS certificates as AWS doesn’t support pinning of publicly-trusted certificates. S3 automatically renews certificates and renewal can happen any time before certificate expiry. Renewing a certificate generates a new public-private key pair. If you’ve pinned an S3 certificate which has been recently renewed with a new public key, you won’t be able to connect to S3 until your application uses the new certificate. </p></div></div> <p>Also consider implementing ongoing detective controls by using the <a href="">s3-bucket-ssl-requests-only</a> managed AWS Config rule. </p> </dd> <dt><b><span class="term"><div id="objectlock" xreflabel="Consider S3 Object Lock"></div>Consider using S3 Object Lock</span></b></dt> <dd> <p>With S3 Object Lock, you can store objects by using a "Write Once Read Many" (WORM) model. S3 Object Lock can help prevent accidental or inappropriate deletion of data. For example, you can use S3 Object Lock to help protect your AWS CloudTrail logs.</p> <p>For more information, see <a href="./object-lock.html">Locking objects with Object Lock</a>.</p> </dd> <dt><b><span class="term"><div id="versioning" xreflabel="Enable versioning"></div>Enable S3 Versioning</span></b></dt> <dd> <p>S3 Versioning is a means of keeping multiple variants of an object in the same bucket. You can use versioning to preserve, retrieve, and restore every version of every object stored in your bucket. With versioning, you can easily recover from both unintended user actions and application failures. </p> <p>Also consider implementing ongoing detective controls by using the <a href="">s3-bucket-versioning-enabled</a> managed AWS Config rule.</p> <p>For more information, see <a href="./Versioning.html">Retaining multiple versions of objects with S3 Versioning</a>. </p> </dd> <dt><b><span class="term"><div id="cross-region" xreflabel="Consider Amazon S3 cross-region replication"></div>Consider using S3 Cross-Region Replication</span></b></dt> <dd> <p>Although Amazon S3 stores your data across multiple geographically diverse Availability Zones by default, compliance requirements might dictate that you store data at even greater distances. With S3 Cross-Region Replication (CRR), you can replicate data between distant AWS Regions to help satisfy these requirements. CRR enables automatic, asynchronous copying of objects across buckets in different AWS Regions. For more information, see <a href="./replication.html">Replicating objects within and across Regions</a>.</p> <div class="awsdocs-note"><div class="awsdocs-note-title"><awsui-icon name="status-info" variant="link"></awsui-icon><h6>Note</h6></div><div class="awsdocs-note-text"><p>CRR requires both the source and destination S3 buckets to have versioning enabled.</p></div></div> <p>Also consider implementing ongoing detective controls by using the <a href="">s3-bucket-replication-enabled</a> managed AWS Config rule.</p> </dd> <dt><b><span class="term"><div id="end-points" xreflabel="Consider VPC endpoints for Amazon S3 access"></div>Consider using VPC endpoints for Amazon S3 access</span></b></dt> <dd> <p>A virtual private cloud (VPC) endpoint for Amazon S3 is a logical entity within a VPC that allows connectivity only to Amazon S3. VPC endpoints can help prevent traffic from traversing the open internet.</p> <p>VPC endpoints for Amazon S3 provide multiple ways to control access to your Amazon S3 data:</p> <div class="itemizedlist"> <ul class="itemizedlist"><li class="listitem"> <p>You can control the requests, users, or groups that are allowed through a specific VPC endpoint by using S3 bucket policies.</p> </li><li class="listitem"> <p>You can control which VPCs or VPC endpoints have access to your S3 buckets by using S3 bucket policies.</p> </li><li class="listitem"> <p>You can help prevent data exfiltration by using a VPC that does not have an internet gateway.</p> </li></ul></div> <p>For more information, see <a href="./example-bucket-policies-vpc-endpoint.html">Controlling access from VPC endpoints with bucket policies</a>. </p> </dd> <dt><b><span class="term"> <div id="use-managed-services" xreflabel="Use managed services to receive actionable findings in your accounts"></div>Use managed AWS security services to monitor data security</span></b></dt> <dd> <p>Several managed AWS security services can help you identify, assess, and monitor security and compliance risks for your Amazon S3 data. These services can also help you protect your data from those risks. These services include automated detection, monitoring, and protection capabilities that are designed to scale from Amazon S3 resources for a single AWS account to resources for organizations spanning thousands of accounts.</p> <p>For more information, see <a href="#monitoring-data-security">Monitoring data security with managed AWS security services</a>.</p> </dd> </dl></div> <h2 id="security-best-practices-detect">Amazon S3 monitoring and auditing best practices</h2> <p>The following best practices for Amazon S3 can help detect potential security weaknesses and incidents.</p> <div class="variablelist"> <dl> <dt><b><span class="term"><div id="audit" xreflabel="Identify and audit all your Amazon S3 buckets"></div>Identify and audit all of your Amazon S3 buckets</span></b></dt> <dd> <p>Identification of your IT assets is a crucial aspect of governance and security. You need to have visibility of all your Amazon S3 resources to assess their security posture and take action on potential areas of weakness. To audit your resources, we recommend doing the following:</p> <div class="itemizedlist"> <ul class="itemizedlist"><li class="listitem"> <p>Use Tag Editor to identify and tag security-sensitive or audit-sensitive resources, then use those tags when you need to search for these resources. For more information, see <a href="">Searching for Resources to Tag</a> in the <em>Tagging AWS Resources User Guide</em>. </p> </li><li class="listitem"> <p>Use S3 Inventory to audit and report on the replication and encryption status of your objects for business, compliance, and regulatory needs. For more information, see <a href="./storage-inventory.html">Cataloging and analyzing your data with S3 Inventory</a>.</p> </li><li class="listitem"> <p>Create resource groups for your Amazon S3 resources. For more information, see <a href="">What are resource groups?</a> in the <em>AWS Resource Groups User Guide</em>.</p> </li></ul></div> </dd> <dt><b><span class="term"><div id="tools" xreflabel="Implement monitoring using Amazon Web Services monitoring tools"></div>Implement monitoring by using AWS monitoring tools</span></b></dt> <dd> <p>Monitoring is an important part of maintaining the reliability, security, availability, and performance of Amazon S3 and your AWS solutions. AWS provides several tools and services to help you monitor Amazon S3 and your other AWS services. For example, you can monitor Amazon CloudWatch metrics for Amazon S3, particularly the <code class="code">PutRequests</code>, <code class="code">GetRequests</code>, <code class="code">4xxErrors</code>, and <code class="code">DeleteRequests</code> metrics. For more information, see <a href="./cloudwatch-monitoring.html">Monitoring metrics with Amazon CloudWatch</a> and <a href="./monitoring-overview.html">Logging and monitoring in Amazon S3</a>.</p> <p>For a second example, see <a href="">Example: Amazon S3 Bucket Activity</a>. This example describes how to create a CloudWatch alarm that is triggered when an Amazon S3 API call is made to <code class="code">PUT</code> or <code class="code">DELETE</code> a bucket policy, a bucket lifecycle, or a bucket replication configuration, or to <code class="code">PUT</code> a bucket ACL.</p> </dd> <dt><b><span class="term"><div id="serverlog" xreflabel="Enable Amazon S3 server access logging"></div>Enable Amazon S3 server access logging</span></b></dt> <dd> <p>Server access logging provides detailed records of the requests that are made to a bucket. Server access logs can assist you in security and access audits, help you learn about your customer base, and understand your Amazon S3 bill. For instructions on enabling server access logging, see <a href="./ServerLogs.html">Logging requests with server access logging</a>.</p> <p>Also consider implementing ongoing detective controls by using the <a href="">s3-bucket-logging-enabled</a> AWS Config managed rule. </p> </dd> <dt><b><span class="term"><div id="objectlog" xreflabel="Use CloudTrail"></div>Use AWS CloudTrail</span></b></dt> <dd> <p>AWS CloudTrail provides a record of actions taken by a user, a role, or an AWS service in Amazon S3. You can use information collected by CloudTrail to determine the following: </p> <div class="itemizedlist"> <ul class="itemizedlist"><li class="listitem"> <p>The request that was made to Amazon S3</p> </li><li class="listitem"> <p>The IP address from which the request was made</p> </li><li class="listitem"> <p>Who made the request</p> </li><li class="listitem"> <p>When the request was made</p> </li><li class="listitem"> <p>Additional details about the request</p> </li></ul></div> <p></p> <p>For example, you can identify CloudTrail entries for <code class="code">PUT</code> actions that affect data access, in particular <code class="code">PutBucketAcl</code>, <code class="code">PutObjectAcl</code>, <code class="code">PutBucketPolicy</code>, and <code class="code">PutBucketWebsite</code>. </p> <p>When you set up your AWS account, CloudTrail is enabled by default. You can view recent events in the CloudTrail console. To create an ongoing record of activity and events for your Amazon S3 buckets, you can create a trail in the CloudTrail console. For more information, see <a href="">Logging data events</a> in the <em>AWS CloudTrail User Guide</em>.</p> <p>When you create a trail, you can configure CloudTrail to log data events. Data events are records of resource operations performed on or within a resource. In Amazon S3, data events record object-level API activity for individual buckets. CloudTrail supports a subset of Amazon S3 object-level API operations, such as <code class="code">GetObject</code>, <code class="code">DeleteObject</code>, and <code class="code">PutObject</code>. For more information about how CloudTrail works with Amazon S3, see <a href="./cloudtrail-logging.html">Logging Amazon S3 API calls using AWS CloudTrail</a>. In the Amazon S3 console, you can also configure your S3 buckets to <a href="./enable-cloudtrail-logging-for-s3.html">Enabling CloudTrail event logging for S3 buckets and objects</a>.</p> <p>AWS Config provides a managed rule (<code class="code">cloudtrail-s3-dataevents-enabled</code>) that you can use to confirm that at least one CloudTrail trail is logging data events for your S3 buckets. For more information, see <a href="">cloudtrail-s3-dataevents-enabled</a> in the <em>AWS Config Developer Guide</em>.</p> </dd> <dt><b><span class="term"><div id="config"></div>Enable AWS Config</span></b></dt> <dd> <p>Several of the best practices listed in this topic suggest creating AWS Config rules. AWS Config helps you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config monitors resource configurations so that you can evaluate the recorded configurations against the desired secure configurations. With AWS Config, you can do the following: </p> <div class="itemizedlist"> <ul class="itemizedlist"><li class="listitem"> <p>Review changes in configurations and relationships between AWS resources</p> </li><li class="listitem"> <p>Investigate detailed resource-configuration histories</p> </li><li class="listitem"> <p>Determine your overall compliance against the configurations specified in your internal guidelines</p> </li></ul></div> <p></p> <p>Using AWS Config can help you simplify compliance auditing, security analysis, change management, and operational troubleshooting. For more information, see <a href="">Setting Up AWS Config with the Console</a> in the <em>AWS Config Developer Guide</em>. When specifying the resource types to record, ensure that you include Amazon S3 resources.</p> <div class="awsdocs-note awsdocs-important"><div class="awsdocs-note-title"><awsui-icon name="status-warning" variant="error"></awsui-icon><h6>Important</h6></div><div class="awsdocs-note-text"><p>AWS Config managed rules only supports general purpose buckets when evaluating Amazon S3 resources. AWS Config doesn’t record configuration changes for directory buckets. For more information, see <a href="">AWS Config Managed Rules</a> and <a href="">List of AWS Config Managed Rules</a> in the <em>AWS Config Developer Guide</em>.</p></div></div> <p>For an example of how to use AWS Config, see <a href="" rel="noopener noreferrer" target="_blank"><span>How to Use AWS Config to Monitor for and Respond to Amazon S3 Buckets Allowing Public Access</span><awsui-icon class="awsdocs-link-icon" name="external"></awsui-icon></a> on the <em>AWS Security Blog</em>. </p> </dd> <dt><b><span class="term"><div id="storagelens" xreflabel="Use S3 Storage Lens"></div>Use S3 Storage Lens</span></b></dt> <dd> <p>S3 Storage Lens is a cloud-storage analytics feature that you can use to gain organization-wide visibility into object-storage usage and activity. S3 Storage Lens also analyzes metrics to deliver contextual recommendations that you can use to optimize storage costs and apply best practices for protecting your data. </p> <p>With S3 Storage Lens, you can use metrics to generate summary insights, such as finding out how much storage you have across your entire organization or which are the fastest-growing buckets and prefixes. You can also use S3 Storage Lens metrics to identify cost-optimization opportunities, implement data-protection and access-management best practices, and improve the performance of application workloads. </p> <p>For example, you can identify buckets that don't have S3 Lifecycle rules to abort incomplete multipart uploads that are more than 7 days old. You can also identify buckets that aren't following data-protection best practices, such as using S3 Replication or S3 Versioning. For more information, see <a href="">Understanding Amazon S3 Storage Lens</a>.</p> </dd> <dt><b><span class="term"><div id="advisories" xreflabel="Monitor Amazon Web Services security advisories"></div>Monitor AWS security advisories</span></b></dt> <dd> <p>We recommend that you regularly check the security advisories posted in Trusted Advisor for your AWS account. In particular, look for warnings about Amazon S3 buckets with "open access permissions." You can do this programmatically by using <a href="">describe-trusted-advisor-checks</a>.</p> <p>Further, actively monitor the primary email address that's registered to each of your AWS accounts. AWS uses this email address to contact you about emerging security issues that might affect you.</p> <p>AWS operational issues with broad impact are posted on the <a href="" rel="noopener noreferrer" target="_blank"><span>AWS Health Dashboard - Service health</span><awsui-icon class="awsdocs-link-icon" name="external"></awsui-icon></a>. Operational issues are also posted to individual accounts through the AWS Health Dashboard. For more information, see the <a href="">AWS Health documentation</a>.</p> </dd> </dl></div> <h2 id="monitoring-data-security">Monitoring data security with managed AWS security services</h2> <p>Several managed AWS security services can help you identify, assess, and monitor security and compliance risks for your Amazon S3 data. They can also help you protect your data from those risks. These services include automated detection, monitoring, and protection capabilities that are designed to scale from Amazon S3 resources for a single AWS account to resources for organizations spanning thousands of AWS accounts.</p> <p>AWS detection and response services can help you identify potential security misconfigurations, threats, or unexpected behaviors, so that you can quickly respond to potentially unauthorized or malicious activity in your environment. AWS data protection services can help you monitor and protect your data, accounts, and workloads from unauthorized access. They can also help you discover sensitive data, such as personally identifiable information (PII), in your Amazon S3 data estate.</p> <p>To help you identify and evaluate data security and compliance risks, managed AWS security services generate findings to notify you of potential security events or issues with your Amazon S3 data. The findings provide relevant details that you can use to investigate, assess, and act upon these risks according to your incident-response workflows and policies. You can access findings data directly by using each service. You can also send the data to other applications, services, and systems, such as your security incident and event management system (SIEM).</p> <p>To monitor the security of your Amazon S3 data, consider using these managed AWS security services.</p> <div class="variablelist"> <dl> <dt><b><span class="term"><div id="threats" xreflabel="Identify potential threats to your S3 bucket"></div>Amazon GuardDuty</span></b></dt> <dd> <p>Amazon GuardDuty is a threat-detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.</p> <p>With the S3 protection feature in GuardDuty, you can configure GuardDuty to analyze AWS CloudTrail management and data events for your Amazon S3 resources. GuardDuty then monitors those events for malicious and suspicious activity. To inform the analysis and identify potential security risks, GuardDuty uses threat-intelligence feeds and machine learning.</p> <p>GuardDuty can monitor different kinds of activity for your Amazon S3 resources. For example, CloudTrail management events for Amazon S3 include bucket-level operations, such as <code class="code">ListBuckets</code>, <code class="code">DeleteBucket</code>, and <code class="code">PutBucketReplication</code>. CloudTrail data events for Amazon S3 include object-level operations, such as <code class="code">GetObject</code>, <code class="code">ListObjects</code>, and <code class="code">PutObject</code>. If GuardDuty detects anomalous or potentially malicious activity, it generates a finding to notify you.</p> <p>For more information, see <a href="">Amazon S3 Protection in Amazon GuardDuty</a> in the <em>Amazon GuardDuty User Guide</em>.</p> </dd> <dt><b><span class="term">Amazon Detective</span></b></dt> <dd> <p>Amazon Detective simplifies the investigative process and helps you conduct faster, more effective security investigations. Detective provides prebuilt data aggregations, summaries, and context that can help you analyze and assess the nature and extent of possible security issues.</p> <p>Detective automatically extracts time-based events, such as API calls from AWS CloudTrail and Amazon VPC Flow Logs for your AWS resources. It also ingests findings generated by Amazon GuardDuty. Detective then uses machine learning, statistical analysis, and graph theory to generate visualizations that help you conduct effective security investigations more quickly.</p> <p>These visualizations provide a unified, interactive view of resource behaviors and the interactions between them over time. You can explore this behavior graph to examine potentially malicious actions, such as failed login attempts or suspicious API calls. You can also see how these actions affect resources, such as S3 buckets and objects.</p> <p>For more information, see the <a href="">Amazon Detective Administration Guide</a>.</p> </dd> <dt><b><span class="term">IAM Access Analyzer</span></b></dt> <dd> <p>AWS Identity and Access Management Access Analyzer (IAM Access Analyzer) can help you identify resources that are shared with an external entity. You can also use IAM Access Analyzer to validate IAM policies against policy grammar and best practices, and generate IAM policies based on access activity in your AWS CloudTrail logs.</p> <p>IAM Access Analyzer uses logic-based reasoning to analyze resource policies in your AWS environment, such as bucket policies. With IAM Access Analyzer for S3, you're alerted when an S3 bucket is configured to allow access to anyone on the internet or other AWS accounts, including accounts outside your organization. For example, IAM Access Analyzer for S3 can report that a bucket has read or write access provided through a bucket access control list (ACL), a bucket policy, a Multi-Region Access Point policy, or an access point policy. For each public or shared bucket, you receive findings that indicate the source and level of public or shared access. With these findings, you can take immediate and precise corrective action to restore bucket access to what you intended.</p> <p>For more information, see <a href="./access-analyzer.html">Reviewing bucket access using IAM Access Analyzer for S3</a>.</p> </dd> <dt><b><span class="term"><div id="macie" xreflabel="Consider using Macie with Amazon S3"></div>Amazon Macie</span></b></dt> <dd> <p>Amazon Macie is a security service that discovers sensitive data by using machine learning and pattern matching. Macie provides visibility into data security risks, and enables automated protection against those risks. With Macie, you can automate the discovery and reporting of sensitive data in your Amazon S3 data estate to gain a better understanding of the data that your organization stores in S3.</p> <p>To detect sensitive data with Macie, you can use built-in criteria and techniques that are designed to detect a large and growing list of sensitive data types for many countries and regions. These sensitive data types include multiple types of personally identifiable information (PII), financial data, and credentials data. You can also use custom criteria that you define—regular expressions that define text patterns to match and, optionally, character sequences and proximity rules that refine the results.</p> <p>If Macie detects sensitive data in an S3 object, Macie generates a security finding to notify you. This finding provides information about the affected object, the types and number of occurrences of the sensitive data that Macie found, and additional details to help you investigate the affected S3 bucket and object. For more information, see the <a href="">Amazon Macie User Guide</a>.</p> </dd> <dt><b><span class="term">AWS Security Hub</span></b></dt> <dd> <p>AWS Security Hub is a security-posture management service that performs security best-practice checks, aggregates alerts and findings from multiple sources into a single format, and enables automated remediation.</p> <p>Security Hub collects and provides security findings data from integrated AWS Partner Network security solutions and AWS services, including Amazon Detective, Amazon GuardDuty, IAM Access Analyzer, and Amazon Macie. It also generates its own findings by running continuous, automated security checks based on AWS best practices and supported industry standards.</p> <p>Security Hub then correlates and consolidates findings across providers to help you prioritize and process the most significant findings. It also provides support for custom actions, which you can use to invoke responses or remediation actions for specific classes of findings.</p> <p>With Security Hub, you can assess the security and compliance status of your Amazon S3 resources, and you can do so as part of a broader analysis of your organization's security posture in individual AWS Regions and across multiple Regions. This includes analyzing security trends and identifying the highest-priority security issues. You can also aggregate findings from multiple AWS Regions, and monitor and process aggregated findings data from a single Region.</p> <p>For more information, see <a href="">Amazon Simple Storage Service controls</a> in the <em>AWS Security Hub User Guide</em>.</p> </dd> </dl></div> <awsdocs-copyright class="copyright-print"></awsdocs-copyright><awsdocs-thumb-feedback right-edge="{{$ctrl.thumbFeedbackRightEdge}}"></awsdocs-thumb-feedback></div><noscript><div><div><div><div id="js_error_message"><p><img src="" alt="Warning" /> <strong>Javascript is disabled or is unavailable in your browser.</strong></p><p>To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.</p></div></div></div></div></noscript><div id="main-col-footer" class="awsui-util-font-size-0"><div id="doc-conventions"><a target="_top" href="/general/latest/gr/docconventions.html">Document Conventions</a></div><div class="prev-next"><div id="previous" class="prev-link" accesskey="p" href="./security.html">Security</div><div id="next" class="next-link" accesskey="n" href="./DataDurability.html">Data protection</div></div></div><awsdocs-page-utilities></awsdocs-page-utilities></div><div id="quick-feedback-yes" style="display: none;"><div class="title">Did this page help you? - Yes</div><div class="content"><p>Thanks for letting us know we're doing a good job!</p><p>If you've got a moment, please tell us what we did right so we can do more of it.</p><p><awsui-button id="fblink" rel="noopener noreferrer" target="_blank" text="Feedback" click="linkClick($event)" href=""></awsui-button></p></div></div><div id="quick-feedback-no" style="display: none;"><div class="title">Did this page help you? - No</div><div class="content"><p>Thanks for letting us know this page needs work. We're sorry we let you down.</p><p>If you've got a moment, please tell us how we can make the documentation better.</p><p><awsui-button id="fblink" rel="noopener noreferrer" target="_blank" text="Feedback" click="linkClick($event)" href=""></awsui-button></p></div></div></div></body></div></awsdocs-view><div class="page-loading-indicator" id="page-loading-indicator"><awsui-spinner size="large"></awsui-spinner></div></div><div id="tools-panel" dom-region="tools"><awsdocs-tools-panel id="awsdocs-tools-panel"></awsdocs-tools-panel></div></awsui-app-layout><awsdocs-cookie-banner class="doc-cookie-banner"></awsdocs-cookie-banner></div></body></html>