S3 Features

S3 Access Logs

• For audit purpose, you may want to log all access to S3 buckets.

• Any request made to S3, from any account, authorized/denied will be logged into another S3 bucket.

• The data obtained can be analyzed using AWS Athena or other analysis tools.

• The target logging bucket must also be in the same region.

• The format of log can be found here.

• Do not set loggin bucket to be same as bucket being monitored, as this will create a recursive loop and bucket will grow exponentially.

MFA Delete

• All destructive operation must be authenticated using MFA device.

• To use MFA Delete, versioning must be enabled on the bucket.

• Only the bucket owner, can enable/disable MFA Delete i.e root account.

• Only AWS CLI can be used to enable or disable this feature as of now.

  • Command is,

      aws s3api put-bucket-versioning --bucket <bucket-name> --versioning-configuration Status=Enabled,MFADelete=[Enabled|Disabled] --mfa "<arn of mfa device> <mfa-code>" --profile <aws-profile-name>

Signed URL

• Suppose a user want to make an object in S3 publicly accessible without make the object public. Then the user can generate a pre signed url and share with others.

• User without access to the bucket but access with pre-singed URL inherit temporarily the permissions of the user with S3 bucket access who generated the pre-signed URL, allowing GET or PUT request on an S3 object.

• Doing so makes a file accessible without making the file public or security compromises.

• This URL has an expiration time and can be accessed only within that time period.

URL Generation

• Can be generated using AWS CLI, Console or SDK.

URL Expiration

• S3 Console

  • It can be in range of 1 min to 12 hours.

• CLI

  • It can be in range of 1 min to 168 hours.

---

Access Points

• It simplifies security management of S3 buckets at scale.

• Its basically an access point policy (similar to bucket policy) which will grant correct permission to correct bucket or prefix.

• Each access points have its own DNS name.

• Can define access point to be accessible only from within the VPC, using VPC Endpoint.

  • Firstly, create a VPC endpoint to access the Access Point (Gateway or Interface Endpoint).

  • Secondly, VPC Endpoint policy must allow access to the target bucket and Access Point.

S3 Object Lambda

• This allows to change the object before it is retrieved by the caller application.

• This allows for use case such as redact or enrich existing S3 object while retrieval.

References

• S3 Lambda Object Access Points