Understanding inbuilt AWS S3 security controls and methods - Part 1

Security is a key component and concept that you should focus on when it comes to data storage. Any misconfiguration in the security front of your sensitive data can bring a catastrophic impact on your business and its customers.

Since its inception in 2006, AWS S3 has been one of the prominent and go-to storage as a service and backup as a service for many software solutions across the world. Though lots of innovation happening around with AWS S3 service, we still see instances where a simple yet harmful misconfiguration in AWS S3 makes a way for large security breaches (https://www.zdnet.com/article/unsecured-aws-server-exposed-airport-employee-records-3tb-in-data/).

As stated in the Shared Responsibility Model documentation by AWS, Security and Compliance are shared responsibilities between AWS and the customer. AWS will inherently provide you with physical and environmental security for the services you consume. But when it comes to patch management, configuration management, and awareness and training, the responsibility is shared between both the customer and the Cloud Service Provider (CSP). Hence it's the same with AWS S3 service as AWS is responsible for maintaining the durability, availability, and physical security of data that resides in S3, its the customer’s responsibility to enable and configure the AWS S3 service (buckets and objects) with proper security controls and methods to ensure that the data resides on S3 are secure and cannot be accessed from unauthorized parties.

AWS has provided its customers with several security controls and methods to improve the security posture when using the AWS S3 service. This article series will go through all those in detail.

Before we go through the security controls and methods that AWS S3 offers, it’s really important to understand how resource ownership works in AWS S3. That will be the key focal point for part 1 of this article series.

These are a few points that you should grasp when it comes to principles of resource ownership by default.

  • Buckets and objects are considered resources in AWS S3. By default, when a bucket is created or an object is uploaded to Amazon S3 the ownership of that bucket and the object will go to the AWS account.
Go to Permissions Tab on your S3 Bucket configuration
Scroll down and select Object Ownership
Edit the Object Ownership setting

As you can see in the above figure, there are three settings that can be used to control the ownership of the objects uploaded to the bucket.

ACLs disabled

  • Bucket owner enforced (recommended) — In this setting ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. ACLs are no longer considered when assessing permissions to data in an S3 bucket. Bucket policies can be used to define access control. Activating this setting will apply it to all the existing and new objects as well. This setting was introduced in November 2021.
"Version": "2012-10-17",
"Statement": [
"Sid": "Only allow writes to my bucket with bucket owner full control",
"Effect": "Allow",
"Principal": {
"AWS": [
"Action": [
"Resource": "arn:aws:s3:::AccountB-Bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"

ACLs enabled

  • Bucket owner preferred — This setting provides the bucket owner full control over new objects that other accounts write to the bucket with the bucket-owner-full-control canned ACL. If you activate this setting, you should ensure that you set up a bucket policy to grant a specific user or a role to upload objects into that bucket using the bucket-owner-full-control canned ACL. Refer to the sample bucket policy given below,

You can read more about these controls by visiting the AWS Documentation.

For the majority of the use cases, AWS recommends disabling ACLs by choosing the bucket owner-enforced setting and using your bucket policy to share data with users outside of your account as needed.

With a solid grasp on the resources and resource ownership in AWS S3, let’s deep dive into understanding security controls and methods provided by AWS S3 in the upcoming articles on this article series.


1 — https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html

2 — https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-full-control-acl/

3 — https://aws.amazon.com/compliance/shared-responsibility-model/




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store