Increasing Your Security Posture when Using Amazon S3
The course is part of these learning paths
This course has been designed to introduce you to the different security controls and methods that have been built into Amazon S3 to protect your data and enhance your overall security posture. You will learn about resource ownership, access control policies, S3 Access Points, Access Analyzer, and how to use Cross Origin Resource Sharing (CORS).
If you have any feedback relating to this course, please contact us at email@example.com.
- Understand resource ownership in Amazon S3
- Use policies to control access
- Scale access to shared buckets with S3 Access Points
- Use Access Analyzer to monitor access to buckets
- Learn what Cross Origin Resource Sharing (CORS) is and how to use it
This course is intended for anyone who is responsible for securing, designing, and managing Amazon S3, or who simply wants to learn more about security in Amazon S3.
To get the most out of this course, you should have a basic understanding of Amazon S3. It's also recommended that you have a solid understanding of AWS IAM policy syntax and structure.
Hello, and welcome to this lecture where I shall be looking at the fundamental element of resource ownership in Amazon S3. Resources in S3 can be defined as buckets and objects. Let me start off by discussing the principle of resource ownership. By default when an Amazon bucket is created or an object is uploaded to Amazon S3 within an account, then that AWS account becomes the owner of that resource.
So for example, if I were logged into AWS using my IAM username of Stuart and I created a bucket called S3 deep dive, then that bucket would be owned by the account that the IAM Stuart resides in and not by the user Stuart. So resource ownership is managed at the account level.
Now you can, with the correct permissions applied, allow another AWS account to upload objects to one of your own buckets, and your account would be the resource owner of that bucket. However, when a different AWS account uploads an object within that same bucket, the AWS account that performs the upload of that resource becomes the resource owner of that object.
So the bucket owner does not become the resource owner of the object, and in addition to this, the bucket owner would not have access to these objects either that have been uploaded by another account. This behavior can be overridden by selecting the bucket and then selecting permissions. If you then scroll down to the object ownership section and select edit, here you can change the settings.
You can either accept the default option of the object writer, maintaining the object's ownership, alternatively select bucket owner preferred for the owner of the bucket to obtain ownership of any objects uploaded to the bucket. As you can see here highlighted in the information window, you must update the bucket policy to enforce all Amazon S3 put operations to include the bucket-owner-full-control canned ACL.
A canned ACL is a predefined grant that contains both grantees and permissions. The bucket-owner-full-control canned ACL applies to objects only. An example of a bucket policy to enforce this canned ACL would look as shown. This policy allows the user Lisa an account ending three, five, four, to put objects into the bucket S3 deep dive on the condition that the request has been uploaded with the canned ACL. When the user Lisa uses a put request to upload an object to this bucket, Lisa would have to do so using the x-amz-acl as the request header for the canned ACL.
The result of this action ensures that S3 adds the predefined grant of ensuring that the bucket owner has full control to the ACL of the resource, in this case the object being uploaded by Lisa. The benefits of enforcing the bucket owner to assume control over objects uploaded by another account allows the bucket owner to maintain a level of access control over all the objects within a bucket. This also helps to simplify the management of the objects residing in the bucket.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 90+ courses relating to Cloud reaching over 140,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.