Amazon S3 Security Deep Dive
•
3 gostaram•700 visualizações
This document contains a presentation on security best practices for Amazon S3. It discusses how S3 provides confidentiality, integrity and availability. It also summarizes how S3 supports analytics and data serving through its scalable and cost-effective architecture. The presentation recommends enabling default encryption with SSE-KMS, using object lock for governed data, requiring TLS through bucket policies, and enabling VPC endpoints with limiting bucket policies. Useful policy snippets are also provided for requiring TLS, signatures, source IP restrictions, MFA and VPC endpoints.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Amazon S3 Security Deep Dive
Semelhante a Amazon S3 Security Deep Dive (20)
Mais de Amazon Web Services
Mais de Amazon Web Services (20)
Amazon S3 Security Deep Dive
- 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Deep dive on security in Amazon S3 S T G 3 0 4 Kevin Miller General Manager, Amazon S3 Glacier Amazon S3 John Mallory Principal Business Development Manager Amazon S3
- 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon Simple Storage Service (Amazon S3) SecurityConfidentialityIntegrity AvailabilityAccesscontrol
- 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon S3 data lake – Service overview Analytics & Serving Scalable, secure, cost-effective Amazon S3 Amazon DynamoDB Amazon Elasticsearch Service AWS Glue Catalog & search AWS Snowball AWS Storage Gateway Amazon Kinesis Data Firehose AWS Direct Connect AWS Database Migration Service Data ingestion AWS KMS AWS CloudTrail AWS IAM Amazon CloudWatch Secure & manage Amazon Athena Amazon EMR Amazon Redshift Amazon DynamoDB Amazon QuickSight Amazon Kinesis Amazon Elasticsearch Service Amazon Neptune Amazon RDS Analytics & insight
- 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon S3 – Access policy processing IAM policies User Group Role Bucket policy Amazon VPC endpoint policy Object ACL
- 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon S3 – Server-side encryption When enabled, newly PUT objects encrypted using AES256 • SSE-S3 • Object keys encrypted by Amazon S3-managed master key • SSE-KMS • Object keys managed by AWS Key Management Service (AWS KMS) (separate key access policy) • Object keys encrypted by AWS KMS customer master key (CMK), which can be customer-supplied • Requires SigV4 and TLS for GET and PUT • SSE-C • Key must be supplied in the PUT & GET requests • Key is not stored by AWS
- 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon S3 security best practices • (Account) Block public access: Enable • (Bucket) Default encryption: SSE-KMS • Object lock: Use in governance mode for data with expected lifetime • By bucket policy, require TLS • VPC endpoint: Enable, with bucket policies limiting access
- 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Useful policy snippets – Conditions Require TLS (Deny) "Bool": { "aws:SecureTransport": "false" } Require SigV4 (Deny) "StringNotEquals": { "s3:signatureversion": "AWS4-HMAC-SHA256" } Source IP address restrictions (Allow) "IpAddress": {"aws:SourceIp": "54.240.143.0/24"} Require multi-factor authentication (Deny) "Null": { "aws:MultiFactorAuthAge": true } Require Amazon VPC endpoint and specific VPC (Deny) "StringNotEquals": { "aws:sourceVpc": "vpc-111bbb22" }
- 8. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kevin Miller John Mallory