S3 Features

PreviousS3 Encryption NextS3 Bucket Policy and IAM Policy

Last updated 4 months ago

S3 Features

S3 Access Logs

For audit purpose, you may want to log all access to S3 buckets.
Any request made to S3, from any account, authorized/denied will be logged into another S3 bucket.
The data obtained can be analyzed using Athena or other analysis tools.
The target logging bucket must also be in the same region.
The format of log can be found .
Do not set loggin bucket to be same as bucket being monitored, as this will create a recursive loop and bucket will grow exponentially.

MFA Delete

All destructive operation must be authenticated using MFA device.
To use MFA Delete, versioning must be enabled on the bucket.
Only the bucket owner, can enable/disable MFA Delete.

Only AWS CLI can be used to enable this feature as of now.

Command is,

    aws s3api put-bucket-versioning --bucket <bucket-name> --versioning-configuration Status=Enabled,MFADelete=[Enabled|Disabled] --mfa "<arn of mfa device> <mfa-code>" --profile <aws-profile-name>

Signed URL

Suppose a user want to make an object in S3 publicly accessible without make the object public. Then the user can generate a pre signed url and share with others.
User without access to the bucket but access with pre-singed URL inherit temporarily the permissions of the user with S3 bucket access who generated the pre-signed URL, allowing GET or PUT request on an S3 object.
Doing so makes a file accessible without making the file public or security compromises.
This URL has an expiration time and can be accessed only within that time period.

URL Generation

Can be generated using AWS CLI, Console or SDK.

URL Expiration

S3 Console
- It can be in range of 1 min to 12 hours.
CLI
- It can be in range of 1 min to 168 hours.

Access Points

It simplifies security management of S3 buckets.
Its basically an access point policy (similar to bucket policy) which will grant correct permission to correct bucket or prefix.
Each access points have its own DNS name.
Can define access point to be accessible only from within the VPC, using VPC Endpoint.
- Firstly, create a VPC endpoint to access the Access Point (Gateway or Interface Endpoint).
- Secondly, VPC Endpoint policy must allow access to the target bucket and Access Point.

S3 Object Lambda

This allows to change the object before it is retrieved by the caller application.

References

PreviousS3 Encryption NextS3 Bucket Policy and IAM Policy

Last updated 4 months ago

S3 Access Logs

For audit purpose, you may want to log all access to S3 buckets.
Any request made to S3, from any account, authorized/denied will be logged into another S3 bucket.
The data obtained can be analyzed using Athena or other analysis tools.
The target logging bucket must also be in the same region.
The format of log can be found .
Do not set loggin bucket to be same as bucket being monitored, as this will create a recursive loop and bucket will grow exponentially.

MFA Delete

All destructive operation must be authenticated using MFA device.
To use MFA Delete, versioning must be enabled on the bucket.
Only the bucket owner, can enable/disable MFA Delete.

Only AWS CLI can be used to enable this feature as of now.

Command is,

    aws s3api put-bucket-versioning --bucket <bucket-name> --versioning-configuration Status=Enabled,MFADelete=[Enabled|Disabled] --mfa "<arn of mfa device> <mfa-code>" --profile <aws-profile-name>

Signed URL

Suppose a user want to make an object in S3 publicly accessible without make the object public. Then the user can generate a pre signed url and share with others.
User without access to the bucket but access with pre-singed URL inherit temporarily the permissions of the user with S3 bucket access who generated the pre-signed URL, allowing GET or PUT request on an S3 object.
Doing so makes a file accessible without making the file public or security compromises.
This URL has an expiration time and can be accessed only within that time period.

URL Generation

Can be generated using AWS CLI, Console or SDK.

URL Expiration

S3 Console
- It can be in range of 1 min to 12 hours.
CLI
- It can be in range of 1 min to 168 hours.

Access Points

It simplifies security management of S3 buckets.
Its basically an access point policy (similar to bucket policy) which will grant correct permission to correct bucket or prefix.
Each access points have its own DNS name.
Can define access point to be accessible only from within the VPC, using VPC Endpoint.
- Firstly, create a VPC endpoint to access the Access Point (Gateway or Interface Endpoint).
- Secondly, VPC Endpoint policy must allow access to the target bucket and Access Point.

S3 Object Lambda

This allows to change the object before it is retrieved by the caller application.
This allows for use case such as redact or enrich existing S3 object while retrieval.