CoursesAWS security engineeringData protection & encryption

S3 data protection

Block Public Access, TLS/encryption policies, Object Lock.

Advanced30 min · lesson 8 of 15

S3 is where most AWS data breaches happen, and almost always through misconfiguration rather than a broken control. The defenses are layered and, applied together, make an accidental public object nearly impossible.

Block Public Access is the backstop

Account-level Block Public Access overrides any bucket ACL or policy that would grant public access — turn it on for the whole account so a single misconfigured bucket cannot leak. Below it, prefer bucket policies over legacy ACLs (disable ACLs entirely with Object Ownership = BucketOwnerEnforced), and write policies that require TLS (aws:SecureTransport) and the expected encryption on every put.

a bucket policy that enforces TLS + encryption
{
"Version": "2012-10-17",
"Statement": [
{ "Sid": "DenyInsecureTransport", "Effect": "Deny", "Principal": "*",
"Action": "s3:*", "Resource": ["arn:aws:s3:::acme-data","arn:aws:s3:::acme-data/*"],
"Condition": { "Bool": { "aws:SecureTransport": "false" } } },
{ "Sid": "DenyUnencryptedPuts", "Effect": "Deny", "Principal": "*",
"Action": "s3:PutObject", "Resource": "arn:aws:s3:::acme-data/*",
"Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "aws:kms" } } }
]
}

Encryption, cost, and integrity

SSE-KMS gives you governance SSE-S3 cannot — key policy, decrypt audit, revocation — and S3 Bucket Keys cut the KMS request cost by reducing per-object calls. For data that must never be silently altered, enable Object Lock (WORM) with a retention period; it is also what makes a bucket a trustworthy audit-log sink. VPC gateway endpoints keep S3 traffic off the public internet, and access-point policies scope access per application without one giant bucket policy.

Layered S3 data protection
access
account Block Public Access
overrides risky ACLs/policies
BucketOwnerEnforced
ACLs off, policy-only
confidentiality
SSE-KMS + Bucket Keys
controlled keys, lower cost
TLS-required policy
no plaintext transport
integrity
Object Lock (WORM)
tamper-proof retention
Macie
find sensitive data at scale
Each layer is cheap alone and compounding together — the public-object mistake becomes structurally hard to make.
A deleted-and-recreated public object may already be gone
By the time you notice a public bucket, assume the data has been indexed or copied. Turn on account Block Public Access proactively — it is the one setting that turns "one wrong ACL" from a breach into a no-op.