Open menu
-->

AWS S3 Best Practices

AWS Simple Storage Service (S3) is a storage device for the Internet. It has a web service that makes storage and retrieval simple at any time, from anywhere on the web, regardless of the amount of data.



AWS Simple Storage Service (S3) is a storage device for the Internet. It has a web service that makes storage and retrieval simple at any time, from anywhere on the web, regardless of the amount of data. S3 is designed to make web-scale computing simple for developers by providing highly scalable, fast, reliable and inexpensive data storage infrastructure.

Cloud Conformity checks Amazon Simple Storage Service (Amazon S3) service according to the following rules:

AWS S3 Bucket Authenticated 'FULL_CONTROL' Access
Ensure S3 buckets do not allow FULL_CONTROL access to AWS authenticated users via S3 ACLs.

AWS S3 Bucket Authenticated 'READ' Access
Ensure S3 buckets do not allow READ access to AWS authenticated users through ACLs.

AWS S3 Bucket Authenticated 'READ_ACP' Access
Ensure AWS S3 buckets do not allow READ_ACP access to AWS authenticated users using ACLs.

AWS S3 Bucket Authenticated 'WRITE' Access
Ensure S3 buckets do not allow WRITE access to AWS authenticated users through S3 ACLs.

AWS S3 Bucket Authenticated 'WRITE_ACP' Access
Ensure S3 buckets do not allow WRITE_ACP access to AWS authenticated users using S3 ACLs.

Enable S3 Bucket Default Encryption
Ensure Amazon S3 buckets have Default Encryption feature enabled.

Enable Access Logging for AWS S3 Buckets
Ensure AWS S3 buckets have server access logging enabled to track access requests.

Enable MFA Delete for AWS S3 Buckets
Ensure AWS S3 buckets have the MFA Delete feature enabled.

S3 Bucket Public Access Via Policy
Ensure AWS S3 buckets do not allow public access via bucket policies.

Publicly Accessible AWS S3 Buckets
Ensure that your AWS S3 buckets are not publicly exposed to the Internet.

AWS S3 Bucket Public 'READ' Access
Ensure AWS S3 buckets do not allow public READ access.

AWS S3 Bucket Public 'READ_ACP' Access
Ensure AWS S3 buckets do not allow public READ_ACP access.

AWS S3 Bucket Public 'WRITE' Access
Ensure AWS S3 buckets do not allow public WRITE access.

AWS S3 Bucket Public 'WRITE_ACP' Access
Ensure AWS S3 buckets do not allow public WRITE_ACP access.

Enable Versioning for AWS S3 Buckets
Ensure AWS S3 object versioning is enabled for an additional level of data protection.

DNS Compliant S3 Bucket Names
Ensure that your AWS S3 buckets are using DNS-compliant bucket names.

Enable S3 Bucket Lifecycle Configuration
Ensure Amazon S3 buckets have lifecycle configuration enabled for security and cost optimization purposes.

Review S3 Buckets with Website Configuration Enabled
Ensure S3 buckets with website configuration enabled are regularly reviewed (informational).

AWS S3 Unknown Cross Account Access
Ensure Amazon S3 buckets do not allow unknown cross account access via bucket policies.

Secure Transport
Ensure AWS S3 buckets enforce SSL to secure data in transit

Server Side Encryption
Ensure AWS S3 buckets enforce Server-Side Encryption (SSE)

Limit S3 Bucket Access by IP Address
Ensure that Amazon S3 buckets access is limited only to specific IP addresses.