Securing Amazon Simple Storage Service (Amazon S3) - Part 1

Introduction

This guide will show you how to automate securing Amazon Simple Storage Service (Amazon S3). I will use various AWS resources and services to secure and protect Amazon S3 and use Terraform to automate the provisioning of these AWS resources and services. This is a three-part article.

In this first article, we will discuss what Amazon S3 is, what Amazon S3 security best practices are, and we will configure the AWS Terraform Provider and variables.

You can access all of the code used in my GitHub repository.

Understanding Amazon Simple Storage Service (Amazon S3)

Amazon Simple Storage Service, or Amazon S3, is a popular cloud object storage service. Amazon S3 is designed to store and retrieve large amounts of data in a highly scalable and durable manner. Some of the data types Amazon S3 can store are images, videos, small files, and backup files. What is unique about Amazon S3 is its scalability, durability, data consistency, data encryption, and data lifecycle management.

Amazon S3 is widely used by individuals, businesses, and organizations to store, manage, and distribute data for various purposes, such as backup and restore, content storage and delivery, big data analytics, and application data hosting. You can learn more about AWS S3 features at AWS S3 Documentation.

Amazon S3 Security Best Practices

To ensure the security of your data in S3, you should follow best practices for access control, data protection, monitoring, and incident response. Here are some critical recommendations for securing your S3 buckets and objects:

• Principle of Least Privilege: Grant only the necessary permissions to users, groups, and roles. Use AWS Identity and Access Management (IAM) to create policies restricting access to specific S3 buckets and actions.
• Encrypt Data at Rest: Use Server-side encryption with Amazon S3-managed keys (SSE-S3), AWS Key Management Service (KMS) keys (SSE-KMS), or customer-provided keys (SSE-C) to protect your data at rest. Use Client-side encryption instead of Server-side encryption. If using Client-side encryption, you are responsible for encrypting the data and managing the encryption keys.
• Use HTTPS: Always use HTTPS when sending and receiving data to and from S3 to ensure data confidentiality and integrity in transit. Apply a Bucket Policy to deny non-HTTPS requests.
• Enable Versioning: This feature helps you recover from unintended user actions and application failures by keeping multiple versions of an object in the same bucket.
• Disable Access Control Lists (ACLs): Use these to manage access to your S3 buckets and objects more granularly. Amazon recommends disabling ACLs as most use cases no longer require this feature. It is only recommended to enable ACLs for unique circumstances. 
• Implement Bucket Policies: Use bucket policies to manage access to your S3 buckets and objects more granularly.
• Disable S3 Block Public Access: Prevent the accidental exposure of your data by blocking public access to your buckets and objects.
• Implement lifecycle policies: Automate the transition of objects between storage classes and configure object expiration to delete objects that are no longer needed.
• Use S3 Object Lock: This allows you to put a Legal Hold or Retention period on your data. It also allows you to store objects using the "Write Once Read Many" (WORM), which protects from accidental or inappropriate deletion of data.
• S3 Cross-Region Replication: Enable S3 Cross-Region Replication to protect your data from AWS Region outages. It also can be used for compliance if required to store data in another AWS Region and location.
• VPC Endpoints for Amazon S3 access: Adding a virtual private cloud (VPC) endpoint to your VPC can protect your data by allowing only resources in your VPC to directly communicate with Amazon S3 and preventing traffic from traversing over the Internet.
• Use AWS Organizations and Service Control Policies (SCPs): Apply SCPs to centrally manage and enforce S3 security policies across all accounts in your organization.
• Regularly review and update your security configuration: Conduct regular audits of your S3 buckets and objects to identify potential security risks and ensure that your access policies are current.
• Use IAM Roles for applications and AWS services: Utilize IAM Roles instead of AWS credentials in your applications. IAM Roles use temporary credentials for your applications or services that need access to Amazon S3. Attach an IAM Role to AWS Services such as Amazon EC2 to access Amazon S3 resources.
• Configure logging and monitoring: Enable AWS CloudTrail for auditing and Amazon S3 access logs for detailed object-level access history. Use Amazon CloudWatch and AWS Lambda for real-time monitoring and automated responses to specific events.
• AWS Config: Enable AWS Config and utilize AWS Config rules. AWS Config rules can help you monitor and evaluate your Amazon S3 configurations. It provides manual or auto remediations if an Amazon S3 configuration is out of compliance.
• Amazon Macie: Use Amazon Macie with Amazon S3. Amazon Macie automates the discovery of sensitive data such as credit cards or social security numbers.

By implementing these best practices, you can significantly enhance the security of your data in Amazon S3 and protect it from unauthorized access or data breaches.

Infrastructure as Code (IaC) with Terraform

Terraform is an open-source Infrastructure as Code (IaC) cross-platform tool. Terraform lets you define and manage infrastructure declaratively instead of manually configuring infrastructure through the console, the CLI, or shell scripts.

Configure Terraform Providers and Populate Variables

Step 1. Configure Terraform Providers.

providers.tf

terraform {
  backend "s3" {
    bucket         = "dallin-tf-backend" # Update the bucket name
    key            = "dallin-s3-lab"     # Update key name
    region         = "us-west-2"         # Update with aws region
    profile        = "bsisandbox"        # Update aws profile
    encrypt        = true
    dynamodb_table = "dallin-tf-backend" # Update dynamodb_table
  }

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 1.0.0"
}

provider "aws" {
  region  = local.aws_region
  profile = local.aws_profile

  default_tags {
    tags = {
      Owner       = local.owner
      Environment = local.environment
      Project     = local.project
      Provisoner  = "Terraform"
    }
  }
}

Step 2. Configure Variables

locals.tf

locals {
  # AWS Provider 
  aws_region  = "us-west-2"  # Update with aws region
  aws_profile = "bsisandbox" # Update with aws profile

  # Account ID
  local.account_id  = data.aws_caller_identity.current.account_id

  # Tags
  owner       = "Dallin Rasmuson" # Update with owner name
  environment = "sandbox"         
  project     = "AWS S3 Lab"

  # S3 Bucket Prefix Name
  aws_s3_bucket_name = "dallin-s3-lab"
 
  # Email Address to use for SNS Notifications with Eventbridge
  sns_endpoint_email_address = "[email protected]"
}

Conclusion

In this article, we discussed what Amazon S3 is and what the Amazon S3 security best practices are. We also configured the AWS Terraform Provider and variables. By implementing Amazon S3 best practices, you can significantly enhance the security of your data in Amazon S3 and protect it from unauthorized access or data breaches.

In part two, we will review the Terraform code and deploy the Terraform code to AWS.