Amazon S3 provides a number of different settings to help you secure your data, controls to ensure that those settings remain in place, and features to help you audit all of the above. In this workshop, we walk you through these different capabilities of Amazon S3, presenting scenarios to help you apply them for different security requirements.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 Security Settings &
Controls
Sam Parmett
Software Development Engineer
Amazon S3
S T G 3 0 8

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Amazon Simple Storage Service (Amazon S3) access control mechanisms
Amazon S3 encryption
Monitoring access to Amazon S3 resources
Hands-on exercises
Takeaways

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Workshop repeats
Tuesday, November 27
STG308-R1 - Amazon S3 Security Settings & Controls
9:15 a.m. – 11:30 a.m. | MGM, Level 3, Premier Ballroom 320

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related sessions
Tuesday, November 27
STG303-R1 - Deep Dive on Amazon S3 Security and Management
4:45 p.m. – 5:45 p.m. | Venetian, Level 2, Venetian F
Wednesday, November 28
STG379-R3 - Chalk Talk: Deep Dive on Security in Amazon S3 & Amazon Glacier
1:00 p.m. – 2:00 p.m. | Aria West, Level 3, Starvine 7
Wednesday, November 28
STG403 - Manage Objects & Optimize for Cost at Scale with Amazon S3 & Amazon Glacier
6:15 p.m. – 8:30 p.m. | Aria West, Level 3, Ironwood 7

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 access control mechanisms
• AWS Identity and Access Management (IAM) policy
• AWS Organizations service control policy
• Amazon S3 VPCE policy
• Amazon S3 bucket policy
• Amazon S3 access control lists (ACLs)
• Amazon S3 Block Public Access

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 encryption support
User encrypts the data on
client-side and uploads to
Amazon S3
HTTPS/TLS
• SSE-S3 (Amazon S3 managed
keys)
• SSE-KMS (AWS Key Management
Service [AWS KMS])
• SSE-C (customer-provided keys)
Server-side encryption Client-side encryption

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 default encryption
Provides S3 encryption-at-rest support for applications that do not
otherwise support encrypting data in Amazon S3
One time
bucket level
set up
Automatically
encrypts all new
objects
Supports SSE-
S3 and SSE-
KMS
Simplified
compliance

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring Amazon S3 security settings
Bucket access control
view in S3 console
AWS Trusted Advisor
Amazon MacieAWS Config rules
S3-bucket-public-read-prohibited
S3-bucket-public-write-prohibited

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring Amazon S3 security settings (cont.)
AWS CloudTrail
Object encryption status
Amazon S3 inventory
Amazon S3 server
access logs

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hands-on exercises
Four independent scenarios
We’ll check in every ~30 minutes
If you’re stuck, please flag a session helper!
Link to download worksheet
https://s3.amazonaws.com/stg308-instruction/workshop_handout.pdf

12. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sam Parmett

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.