Profile Applicability:
- Level 2
Description:
Amazon Simple Storage Service (S3) is a scalable, durable, and low-cost object storage service that provides web services to store and retrieve data. It allows you to manage objects in a highly available and secure manner. S3 is designed for a wide range of use cases including backup, archiving, content distribution, data lakes, and hosting static websites.
Rationale:
Configuring and managing S3 properly ensures:
Secure and efficient storage for large amounts of data
High availability and durability of stored objects
Ease of integration with other AWS services and third-party tools
Granular access control, encryption, and lifecycle management for sensitive data
Default Value:
By default, S3 buckets do not have any special access control or lifecycle configuration. Public access is blocked unless specifically allowed, and objects are stored in the Standard storage class.
Impact:
Pros:
• Highly scalable, cost-efficient, and durable storage solution
• Easy integration with AWS services such as Lambda, Athena, and CloudFront
• Granular access control for objects and buckets
• Supports lifecycle management, versioning, and encryption
Cons:
• Potential for high costs when storing large amounts of data or transferring data frequently
• Security misconfigurations may expose sensitive data
• Lifecycle rules or policies must be carefully managed to avoid unintended deletions
Pre-requisites:
IAM Permissions Required:
s3:CreateBucket, s3:ListBucket, s3:GetObject, s3:PutObject, s3:DeleteObject
IAM roles and bucket policies configured based on access control requirements
Remediation:
Test Plan:
Using AWS Console:
• Log in to the AWS Management Console
• Navigate to S3 > Buckets
• Ensure that buckets are created with the required configuration settings, including:
Versioning, Encryption, Public Access settings
Lifecycle rules and tags are configured correctly
• Test by uploading, downloading, and deleting an object
• Review Bucket policy and IAM roles to ensure proper access control
Using AWS CLI:
aws s3 ls aws s3 cp testfile.txt s3://<bucket-name>/testfile.txt aws s3api get-bucket-policy --bucket <bucket-name> aws s3api put-bucket-versioning \ --bucket <bucket-name> \ --versioning-configuration Status=Enabled
Implementation Plan:
Using AWS Console:
• Navigate to S3 > Buckets and create a new bucket
• Configure settings such as Versioning, Logging, Bucket Policy, Encryption
• Apply Lifecycle policies to manage data transitions and expirations
• Set appropriate IAM permissions for users or roles that need access
• Test data upload, retrieval, and deletion operations
Using AWS CLI:
Step 1: Create a new bucket
aws s3 mb s3://<bucket-name>
Step 2: Enable versioning on the bucket
aws s3api put-bucket-versioning \ --bucket <bucket-name> \ --versioning-configuration Status=Enabled
Step 3: Set up encryption
aws s3api put-bucket-encryption \
--bucket <bucket-name> \
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}]
}'Step 4: Upload an object
aws s3 cp testfile.txt s3://<bucket-name>/testfile.txt
Step 5: Set a lifecycle policy
aws s3api put-bucket-lifecycle-configuration \
--bucket <bucket-name> \
--lifecycle-configuration '{
"Rules": [{
"ID": "ArchiveOldFiles",
"Prefix": "",
"Status": "Enabled",
"Transitions": [{
"Days": 30,
"StorageClass": "GLACIER"
}]
}]
}'Backout Plan:
Using AWS Console:
- Delete any Bucket policy or IAM permissions that were wrongly configured
- Disable Versioning, Encryption, or other configurations if incorrectly set
- Remove or modify Lifecycle rules as necessary
Using AWS CLI:
aws s3api delete-bucket-lifecycle \ --bucket <bucket-name> aws s3api delete-bucket-encryption \ --bucket <bucket-name>
References:
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html
- https://docs.aws.amazon.com/cli/latest/reference/s3api/index.html
- https://aws.amazon.com/s3/
