Securing S3 Buckets: A Developer's Checklist

Amazon S3 is an incredibly powerful and versatile object storage service, but its flexibility also means that misconfigurations can easily lead to data breaches. For developers, securing S3 buckets is not just an operational task; it's a critical part of the application development lifecycle.

Here is a practical checklist of the essential security settings you should be enabling for your S3 buckets.

1. ✅ Block Public Access (BPA)

This is the most important setting and should be your default for almost every bucket. The Block Public Access settings are a set of four controls that act as a global guardrail for your account and individual buckets, preventing accidental public exposure.

• Block new public ACLs and public buckets
• Block public and cross-account access through any public ACLs
• Block new public bucket or access point policies
• Block public and cross-account access through any public bucket or access point policies

Action: For any bucket that does not need to host a public website, ensure that all four of these settings are turned On. This is the default for all new buckets and should almost never be turned off.

2. ✅ Use Bucket Policies for Fine-Grained Control

While IAM policies grant permissions to your users and roles, bucket policies are attached directly to an S3 bucket and define who can access the objects within it. They are the standard way to manage cross-account access or grant specific permissions to AWS services.

Action: Use bucket policies to enforce specific rules. For example, you can enforce that all objects uploaded must be encrypted.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryptionHeader",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-secure-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}

3. ✅ Enable Default Encryption

Encryption protects your data at rest. You should always enable default encryption on your buckets. This ensures that any new object uploaded to the bucket is automatically encrypted without the client having to specify any encryption headers.

• SSE-S3 (Server-Side Encryption with S3-Managed Keys): AWS manages the encryption keys. This is the easiest option and provides a strong baseline of security.
• SSE-KMS (Server-Side Encryption with AWS Key Management Service): You manage the keys in AWS KMS. This gives you more control and auditing capabilities over your keys.

Action: In your bucket's properties, enable default encryption and choose AES-256 (SSE-S3) as a minimum.

4. ✅ Enforce Encryption in Transit

To protect your data as it travels over the network, you should enforce that all connections to your S3 bucket use HTTPS. You can do this with a bucket policy.

Action: Add the following statement to your bucket policy to deny any request that isn't using TLS.

{
  "Sid": "EnforceTLSRequestsOnly",
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:*",
  "Resource": "arn:aws:s3:::my-secure-bucket/*",
  "Condition": {
    "Bool": {
      "aws:SecureTransport": "false"
    }
  }
}

5. ✅ Enable Versioning

Versioning keeps a full history of all the writes and deletes for every object in your bucket. While not strictly a security feature against unauthorized access, it's a critical safety feature that can protect you from accidental deletions or overwrites. If an object is accidentally deleted, you can simply restore the previous version.

Action: In your bucket's properties, enable bucket versioning.

6. ✅ Enable Access Logging

Server access logging provides detailed records for the requests that are made to your bucket. This is essential for security auditing. If a security incident occurs, these logs will be invaluable for understanding what happened.

Action: Configure your bucket to deliver access logs to another, separate S3 bucket that is used specifically for logging.

Conclusion

Securing your S3 buckets is a fundamental responsibility for every AWS developer. By following this checklist—blocking public access, using strong bucket policies, enabling encryption, versioning, and logging—you can build a robust security posture that protects your data from both accidental exposure and malicious threats.