TalksAWS re:Invent 2025 - Amazon S3 security and access control best practices (STG316)

AWS re:Invent 2025 - Amazon S3 security and access control best practices (STG316)

AWS re:Invent 2025 - Amazon S3 Security and Access Control Best Practices

Security as an Integrated Approach

  • Security is one part of an integrated whole, not a standalone concern
  • Security works in conjunction with durability, availability, and performance to enable customer needs
  • Key customer needs include ensuring continuous business access to data and mitigating risks efficiently

Security is Everyone's Responsibility

  • AWS follows a "shared security model" - AWS is responsible for security of the cloud, customers are responsible for security in the cloud
  • Security is a lateral function that must be considered across all S3 product design and operations
  • Continuous iterative improvement is critical, as seen in recent S3 security enhancements:
    • S3 Block Public Access enabled by default
    • All new objects encrypted by default
    • S3 Checksums enabled by default
    • SOAP interface deprecated, niche SECC encryption disabled

Balancing Security and Usability

  • Security is not just about saying "no" - it's about enabling the right users to access the right data
  • S3 aims to deliver security in a way that supports continuous business access and efficient value delivery

Best Practices for S3 Security

  1. Block Public Access: Use S3 Block Public Access to prevent inadvertent public exposure of data. This is now the default for new buckets.
  2. Enable Bucket-Level Keys: Use bucket-level keys with KMS to dramatically reduce KMS request volume and costs.
  3. Divide and Conquer Responsibilities:
    • Use S3 Access Points to modularize bucket policies and enable independent application deployment
    • Leverage S3 Access Grants to provide fine-grained, user-specific access to files and prefixes
    • Implement Token Vending Machines to issue temporary, scoped credentials based on custom authorization logic
    • Utilize Attribute-Based Access Control (ABAC) to tie access policies to metadata tags
  4. Test Security Changes in a Model Environment: Set up a test stack mirroring production to validate policy changes before deployment.
  5. Leverage AWS Organizations: Use resource control policies to enforce enterprise-wide security guardrails, while allowing developer autonomy within those bounds.
  6. Extend S3 Security Beyond S3:
    • Calculate and validate checksums end-to-end, from data generation to S3 storage
    • Use the same encryption keys for local and S3 data encryption
    • Ensure all communication to S3 uses encrypted TLS connections
  7. Enable Logging for Reactive Security:
    • Use CloudTrail and S3 server access logs to enable audit, anomaly detection, and automated remediation
    • Leverage AWS services like GuardDuty, Config, and Security Hub for comprehensive monitoring and response
  8. Plan for Durability and Recovery:
    • Utilize S3 features like object versioning, object lock, and cross-region replication for data protection
    • Leverage AWS Backup for critical, long-term data retention and disaster recovery

Key Takeaways

For Developers:

  • Migrate to the new S3 tagging APIs
  • Enable logging on critical buckets
  • Implement checksums in your applications

For Security/Leadership:

  • Enforce S3 Block Public Access at the organization level
  • Adopt Attribute-Based Access Control (ABAC)
  • Allocate resources for testing environments and security audits

Technical Details and Business Impact

  • S3 Block Public Access has been enabled by default for new buckets, preventing accidental public exposure
  • Bucket-level keys with KMS have saved customers $400 million in KMS costs
  • S3 Access Points can scale to 100,000 per customer account per region
  • S3 Access Grants provide fine-grained, user-specific access control, leveraging corporate directories
  • ABAC allows tying access policies to semantic metadata, simplifying management at scale
  • Comprehensive logging and monitoring enable reactive security, anomaly detection, and automated remediation
  • S3 durability features like versioning, object lock, and replication protect against data loss and ensure business continuity

Examples and Use Cases

  • A large enterprise with thousands of developers and millions of customers uses S3 Access Grants to provide specific users access to individual files and prefixes, based on their corporate directory membership.
  • A social media platform leverages S3 Access Points to modularize bucket policies, allowing independent deployment of new applications without affecting the overall security posture.
  • A financial services firm implements ABAC to tie access policies to tags representing business units, regulatory compliance, and data sensitivity, simplifying management of a complex, multi-terabyte S3 environment.
  • A media production company calculates checksums at the point of video capture, validating end-to-end integrity before storing the footage in S3, ensuring the durability of critical assets.

Your Digital Journey deserves a great story.

Build one with us.

Talk to us
Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.