Understanding inbuilt AWS S3 security controls and methods — Part 3

Ravindu Nirmal Fernando
5 min readNov 6, 2022

--

In part 2 of this article series, we mainly discussed the access control policies that can be used to secure access to S3 buckets. In this article, we will focus on the access control methods which include both features and settings which S3 offers you to secure data in S3. These controls are crucial when you need to share your buckets among different applications and users or require public access to those.

We are going to cover up following topics in this article,

1 — S3 Access Points

2 — Public Access management setting in S3

1 — S3 Access Points

S3 is heavily used for many use cases to store shared data sets. These data sets are being accessed by individuals, groups, and applications hence the S3 buckets which store these data sets should have shared access. The management of access to these shared buckets requires maintaining a bucket policy, IAM policy, or ACLs. These policies may include access controls to hundreds to thousands of different users, groups, and applications depending on the use case. But as the users and application sets grow, managing these individual policies will be difficult and time-consuming mainly due to their complexity. This will also make it difficult to audit the changes to the policies.

AWS released the S3 Access Points feature within AWS S3 to mitigate the complexities discussed above. The service allows users to manage and control access to shared S3 buckets. The S3 access points can be attached to a single bucket and configured with separate access policies for that particular access point. This allows you the ability to create different access points with different permissions for teams and applications to your shared S3 bucket.

You have to note the following points when using S3 Access Points,

  • You can attach an access point only to a single bucket whereas a bucket can have multiple access points attached to itself.
  • Access points allow only object operations like S3 GetObject and S3 PutObject etc… and not bucket-specific operations like S3 DeleteBucket.
  • Access points can be configured to accept traffic from specific VPCs and also include the Block Public Access setting which is enabled by default.
  • The access point policies can be used to only allow access to objects with a defined prefix or to objects with specific tags. These policies are defined in JSON. However, these policies are valid if controls allowed within access point policies are also allowed in bucket policies. Hence if you are planning to use access point policies to manage access control for your shared bucket, it’s better to use bucket policy to delegate access control of the bucket to the access point as shown below.
    (Refer — https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-policies.html)
  • When accessing the resources using access points, for S3 object operations, you can use the access point ARN in place of a bucket name. For requests requiring a bucket name in the standard S3 bucket name format, you can use an access point alias instead. Both of these details are available when you create an access point.
S3 Access Point Configuration

2 — Public Access management setting in S3

UPDATE — S3 Public Block Access will be enabled automatically starting from April 2023 — Read More — https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/

Over the years we have seen many incidents where sensitive information residing within S3 buckets has been exposed. This was mainly due to unprotected settings on the S3 bucket level which allowed general public access to the data within the S3 bucket. The public access management feature is available within AWS S3 to mitigate these types of configuration issues. This setting can be accessed from the permissions tab within your buckets setting and it’s enabled by default when you are creating a bucket. You will have to actively change this setting to allow public access to your bucket.

As shown below, you can completely turn off this setting if you require public access to your bucket, or you can select a combination of options that can be used to filter public access to your S3 buckets.

S3 Block public access setting

One thing to note here is that if you are to provide public access or cross-account access to the bucket using bucket policy or ACL, then access will still not be granted if the Block public access settings are enabled.

Another important service you can use to identify S3 buckets that are configured to allow public access or access from other AWS accounts, including AWS accounts outside of your organization is AWS S3 Access Analyzer.

To use S3 Access Analyzer you should first create an account-level analyzer from IAM service. Read more about S3 Access Analyzer here — https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-analyzer.html

3 — Cross-Origin Resource Sharing in S3

CORS allows you to provide access to specific resources within a bucket from a web page hosted under a different domain than its own. Configuration of CORS for S3 can be found under the Permissions tab in the S3 bucket settings. You can pass the CORS configuration in JSON format.

Given below is a sample CORS configuration.

[
{
"AllowedHeaders": [
"Authorization"
],
"AllowedMethods": [
"GET",
"HEAD"
],
"AllowedOrigins": [
"http://www.example.com"
],
"ExposeHeaders": [
"Access-Control-Allow-Origin"
]
}
]

Also, note that CORS policy can contain more than 1 rule based on your use case. Read more on S3 CORS policies at — https://docs.aws.amazon.com/AmazonS3/latest/userguide/cors.html

Let’s deep dive into the Encryption mechanisms provided by AWS S3 in the upcoming article on this article series.

References

1 — https://aws.amazon.com/s3/features/access-points/

2 — https://cloudacademy.com/course/increasing-your-security-posture-when-using-amazon-s3-1235

3 — https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-analyzer.html

4 — https://docs.aws.amazon.com/AmazonS3/latest/userguide/cors.html

--

--