Amazon Simple Storage Service (Amazon S3) Security
Amazon Simple Storage Service permits to upload and retrieve data at any-time from anywhere on the web. The data is stored as objects in buckets by Amazon S3 and an object can be any kind of the mentioned file such as a text file, a photo, a video, and more. When we add a file to Amazon Simple Storage Service, to control access to the file we get an option of including metadata with the file and setting permissions.
Amazon S3 Data Access
The access to data stored in Amazon S3 is restricted by default such that only bucket and object owners have access to the Amazon Simple Storage Service resources that they create *note that a bucket/object owner is the AWS account owner, not the user who created the bucket/object. There are multiple ways to control access to buckets and objects there are multiple ways. Some of which are discussed below –
- – IAM policies – IAM allows organizations with many employees to create and manage multiple users under a single AWS account. The IAM policies are attached to the users, to access buckets or objects to enable centralized control of permissions for users under the AWS account. With IAM policies, we can only grant users in own AWS account permission to access your Amazon S3 resources.
- ACLs – In order to groups of users within Amazon Simple Storage Service, it is suggested to use ACLs to give read or write access on buckets or objects. With ACLs, we can only grant other AWS accounts access to Amazon S3 resources.
- Bucket policies – Bucket policies in Amazon S3 are used to permit or deny permissions across some or all of the objects in a single bucket. All the policies can be attached to users, groups, or Amazon S3 buckets, that enables centralized management of permissions. Also with bucket policies, we can grant users in AWS account or other AWS accounts access to Amazon S3 resources.
- Query string authentication – In order to express a request entirely in a URL we use a query string. In order to provide request information in this case, we use query parameters, including the authentication information. Such kind of URL has often been referred to as a pre-signed URL, since the request signature is part of the URL.
Amazon Simple Storage Service also offers the developers the option to use query string authentication, which allows them to share Amazon S3 objects through URLs that are valid for a predefined period of time. Now for browser access to resources which normally require authentication query string authentication is useful for giving HTTP. The request is secured by signature in the query string.
Data Transfer – We can upload/download data to Amazon S3 via the SSL-encrypted endpoints for maximum security. Ensure that the data is transferred securely both within AWS and to and from sources outside of AWS the encrypted endpoints are accessible from both the Internet and from within Amazon EC2,.
Data Storage – In order to protect data at rest Amazon S3 provides multiple options. Now when we prefer to manage our own encryption, we can use a client encryption library like the Amazon S3 Encryption Client to encrypt data before uploading to Amazon S3.
Data Access – All the Data in Amazon Glacier can only be accessed by account only. In order to control access to the data in Amazon Glacier, we can use IAM to specify which users in the account have rights to operations on a given vault.
AWS Snowball
AWS Snowball can be defined as a data transport solution that accelerates moving terabytes to petabytes of data into and out of AWS using storage appliances designed to be secure for physical transport.
Data Transfer – When we use a standard AWS Snowball appliance to import data into Amazon S3, then all data transferred to an AWS Snowball appliance consists of two layers of encryptions –
- The first kind of layer of encryption is applied in the memory of the local workstation. This layer is applied whether we are using the Amazon S3 Adapter for AWS Snowball or the AWS Snowball client. This encryption uses AES Galois/Counter Mode (GCM) 256-bit keys, and the keys are cycled for every 60 GB of data transferred.
- SSL encryption is a second layer of encryption for all data going onto or off of a standard AWS Snowball appliance.
Note – AWS Snowball uses SSE to protect data at rest.