Introduction:
Amazon S3 (Simple Storage Service) is one of the most widely used cloud storage solutions, but it is also a common source of data leaks if not properly secured. High-profile breaches have occurred due to misconfigured S3 buckets, exposing sensitive data like customer records, financial information, and private documents.
In this blog, we will understand the best practices to secure AWS S3 buckets and prevent accidental data exposure.
Why S3 Buckets are Vulnerable?
By default, AWS S3 buckets are private, but many users accidentally make them public due to Incorrect permissions (misconfigured bucket policies or ACLs). Overly permissive IAM roles (giving too much access to users/apps). Lack of monitoring (no alerts for suspicious access).
How we can fix this issue step by step ?
1. Ensure S3 Buckets are not publicly accessible.
Disable "Block Public Access" settings, AWS provides "Block Public Access" feature that overrides any accidental public permissions. To enable it Go to AWS S3 Console → Select your bucket → Permissions.
Under "Block Public Access (Bucket Settings)", click edit, check following options to block:
- Block public access via ACLs
- Block public access via bucket policies
- Block public and cross-account access
Click on Save. This ensures no one can accidentally make the bucket public.
2. Use IAM Policies (Instead of Bucket ACLs)
Avoid using S3 Access Control Lists (ACLs), they are outdated and harder to manage. Instead, use "IAM policies" for fine-grained access control.
Example IAM Policy (Restrictive Access)
{
"Version": "2022-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"IpAddress": {"aws:SourceIp": ["192.0.2.0/24"]} // Restrict to specific IPs
}
}
] }
3. Enable S3 Bucket Encryption Even if someone accesses your files, encryption ensures they can’t read them. There are two types of Encryption here:
- SSE-S3 (AWS-Managed Keys)– Simple, automatic encryption.
- SSE-KMS (Customer-Managed Keys)– More control, audit logs.
- Go to S3 Bucket → Properties → Default Encryption. Select AWS-KMS or AES-256 (SSE-S3). Click Save.
- Versioning keeps multiple copies of files, preventing ransomware/data loss.
- MFA Delete ensures no one can delete files without multi-factor authentication.
aws s3api put-bucket-versioning --bucket your-bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "arn:aws:iam::123456789012:mfa/root-account-mfa-device 123456"
- CloudTrail logs API calls (who accessed what).
- S3 Access Logs track every request to your bucket.
- Go to CloudTrail → Create Trail.
- Select S3 Data Events to log bucket activity.
- Go to S3 Bucket → Properties → Server Access Logging → Enable.
- Unusual download spikes
- Access from unknown IPs
- Unauthorized deletion attempts
{
"Version": "2022-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"Bool": { "aws:SecureTransport": "false" } // Blocks HTTP
}
}
]
}