S3 Features

S3 Access Logs

  • For audit purpose, you may want to log all access to S3 buckets.

  • Any request made to S3, from any account, authorized/denied will be logged into another S3 bucket.

  • The data obtained can be analyzed using Athena or other analysis tools.

  • The target logging bucket must also be in the same region.

  • The format of log can be found here.

  • Do not set loggin bucket to be same as bucket being monitored, as this will create a recursive loop and bucket will grow exponentially.

MFA Delete

  • All destructive operation must be authenticated using MFA device.

  • To use MFA Delete, versioning must be enabled on the bucket.

  • Only the bucket owner, can enable/disable MFA Delete.

  • Only AWS CLI can be used to enable this feature as of now.

    • Command is,

        aws s3api put-bucket-versioning --bucket <bucket-name> --versioning-configuration Status=Enabled,MFADelete=[Enabled|Disabled] --mfa "<arn of mfa device> <mfa-code>" --profile <aws-profile-name>

Signed URL

  • Suppose a user want to make an object in S3 publicly accessible without make the object public. Then the user can generate a pre signed url and share with others.

  • User without access to the bucket but access with pre-singed URL inherit temporarily the permissions of the user with S3 bucket access who generated the pre-signed URL, allowing GET or PUT request on an S3 object.

  • Doing so makes a file accessible without making the file public or security compromises.

  • This URL has an expiration time and can be accessed only within that time period.

URL Generation

  • Can be generated using AWS CLI, Console or SDK.

URL Expiration

  • S3 Console

    • It can be in range of 1 min to 12 hours.

  • CLI

    • It can be in range of 1 min to 168 hours.

Access Points

  • It simplifies security management of S3 buckets.

  • Its basically an access point policy (similar to bucket policy) which will grant correct permission to correct bucket or prefix.

  • Each access points have its own DNS name.

  • Can define access point to be accessible only from within the VPC, using VPC Endpoint.

    • Firstly, create a VPC endpoint to access the Access Point (Gateway or Interface Endpoint).

    • Secondly, VPC Endpoint policy must allow access to the target bucket and Access Point.

S3 Object Lambda

  • This allows to change the object before it is retrieved by the caller application.

  • This allows for use case such as redact or enrich existing S3 object while retrieval.

References

PreviousS3 EncryptionNextS3 Bucket Policy and IAM Policy

Last updated