securing s3 buckets
By default S3 buckets are relatively quite secure.
Default settings
- Private - all newly created buckets are private
- Bucket owner - only the bucket owner can upload new files, read files, delete, etc.
- No public access - no public (anonymous) access is allowed
Opening up default settings
- Bucket policies
- Applied at a bucket level - permissions are applied to all objects in the bucket
- Not individual objects - can't attach a bucket policy to an individual object
- Groups of files - files tha tneed to be accessed by the same people
- Example: All users in a team need access to the same objects
- Format of bucket policies are similar to IAM policy documents
- Bucket access control lists (ACLs)
- Access control lists - applied at an object level, with different permissions for different objects
- Grant access to objects - defined by account or groups with different access types
- Fine grained control - different access types granted to different objects in the same bucket
- Example: Set some objects for read access by user or group, account, etc.
- Allows s3 access logs to be enabled (disabled by default) - logs information on every object request
- Logs can be written to a separate S3 bucket