{
	"id": "c0c84f26-5d7b-4ec6-abba-b54f2dfa4c12",
	"created_at": "2026-04-06T00:15:56.253253Z",
	"updated_at": "2026-04-10T03:21:17.765373Z",
	"deleted_at": null,
	"sha1_hash": "fb5881ca7b0bb434e56c3d8abcb17297f12119e5",
	"title": "How do I secure the files in my Amazon S3 bucket?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62416,
	"plain_text": "How do I secure the files in my Amazon S3 bucket?\r\nBy AWS Official\r\nPublished: 2017-07-25 · Archived: 2026-04-05 21:16:57 UTC\r\nI want to secure my Amazon S3 bucket with access restrictions, resource monitoring, and data encryption to\r\nprotect my files and meet security best practices.\r\nResolution\r\nFirst, identify whether your Amazon S3 bucket type is general purpose, directory, or table. Then, choose the\r\nsecurity measures and monitoring services that align with your bucket type.\r\nRestrict access to your S3 resources\r\nBy default, all S3 buckets are private. Only the users who you explicitly grant bucket permissions to can access\r\nthe bucket.\r\nTo restrict access to your S3 buckets or objects, take the following actions:\r\nUse identity-based policies that specify the users who can access specific buckets and objects. To create\r\nand test user policies, use the AWS Policy Generator and IAM policy simulator.\r\nUse bucket policies that define access to specific buckets and objects. Use a bucket policy to grant access\r\nacross AWS accounts, grant public or anonymous permissions, and allow or block access based on\r\nconditions.\r\nNote: You can use a Deny statement in a bucket policy to restrict access to specific AWS Identity and\r\nAccess Management (IAM) users even when you granted access to the users in an IAM policy.\r\nUse Amazon S3 Block Public Access as a centralized way to limit public access. Block Public Access\r\nsettings override bucket policies and object permissions. Be sure to turn on Block Public Access for all\r\naccounts and buckets that you don't want publicly accessible. Amazon S3 turns on Block Public Access by\r\ndefault for all new accounts and buckets. Turn off the feature only when you explicitly require public\r\naccess to your S3 resources. If you turn off Block Public Access on a bucket, then regularly audit the\r\nbucket.\r\nSet access control lists (ACLs) on your buckets and objects.\r\nNote: If you must programmatically manage permissions, then use IAM policies or bucket policies instead\r\nof ACLs. However, you can use ACLs when your bucket policy exceeds the 20 KB maximum file size. Or,\r\nyou can use ACLs to grant access for Amazon S3 server access logs or Amazon CloudFront logs.\r\nUse service control policies (SCPs) to centrally manage and enforce S3 security policies across all accounts\r\nin your organization.\r\nAt the network level, restrict access with virtual private cloud (VPC) endpoints, IP address-based\r\nrestrictions in bucket policies, and AWS PrivateLink for S3. VPC endpoints allow private access to\r\nAmazon S3 without internet access.\r\nhttps://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/\r\nPage 1 of 3\n\nUse S3 Access Points to simplify security management for buckets that multiple applications or teams\r\naccess.\r\nImplement S3 Object Lock so that users can't delete or overwrite objects within a specified time frame.\r\nIf you use ACLs to secure your resources, then implement the following best practices:\r\nReview ACL permissions that allow Amazon S3 actions on a bucket or an object. \r\nRestrict who gets Read and Write access to your buckets.\r\nGrant Read access to the Everyone group only when you want everyone to access the bucket or object.\r\nDon't grant Write access to the Everyone group. Anyone who has write access can add objects to your\r\nbucket, and AWS charges you for every uploaded object. Also, anyone with write access can delete objects\r\nin the bucket.\r\nDon't grant Write access to the Any authenticated AWS user group because it includes anyone with an\r\nactive account. To control access for IAM users on your account, use an IAM policy instead. For more\r\ninformation about how Amazon S3 evaluates IAM policies, see How Amazon S3 authorizes a request.\r\nFor new buckets, Amazon S3 sets S3 Object Ownership to Bucket owner enforced by default. This turns\r\noff ACLs. To maintain full control over all objects, it's a best practice to turn off ACLs and use bucket\r\npolicies and IAM policies for access control. \r\nYou can also restrict access to specific actions in the following ways:\r\nTo require users to use multi-factor authentication before they can delete an object or turn off bucket\r\nversioning, configure MFA delete.\r\nSet up MFA-protected API access so that uses must authenticate with an AWS MFA device before they call\r\ncertain Amazon S3 API operations.\r\nIf you temporarily share an S3 object with another user, then create a presigned URL to grant time-limited\r\naccess to the object.\r\nMonitor your S3 resources\r\nTo turn on logging and monitor your S3 resources, take the following actions:\r\nActivate AWS CloudTrail logging for objects in a bucket. By default, CloudTrail monitors only bucket-level actions. To monitor object-level actions, such as GetObject, log data events. For examples of data\r\nevents, see Examples: Logging data events for Amazon S3 objects.\r\nTurn on Amazon S3 server access logging. For information about how to review server access logs, see\r\nAmazon S3 server access log format.\r\nUse AWS Config to monitor bucket ACLs and bucket policies for violations that allow public read or write\r\naccess. For more information, see s3-bucket-public-read-prohibited and s3-bucket-public-write-prohibited.\r\nUse IAM Access Analyzer to review bucket or IAM policies that grant access to your S3 resources from\r\nanother account.\r\nTurn on Amazon Macie to automate the identification of sensitive data that's stored in your buckets, broad\r\naccess to your buckets, and unencrypted buckets in your account.\r\nUse CloudTrail with other AWS services to invoke specific processes when you take specific actions on\r\nyour S3 resources. For example, you can use Amazon EventBridge to log S3-object level operations. \r\nhttps://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/\r\nPage 2 of 3\n\nUse the S3 bucket permissions check from AWS Trusted Advisor to notify you about buckets with open\r\naccess permissions. For more information, see the AWS Trusted Advisor check reference.\r\nUse encryption to protect your data\r\nIf you require encryption during transmission, then use HTTPS protocol to encrypt data in transit to and from\r\nAmazon S3. All AWS SDKs and AWS tools use HTTPS by default.\r\nNote: If you use third-party tools to interact with Amazon S3, then contact the third-party company to confirm\r\nthat their tools also support the HTTPS protocol.\r\nIf you require encryption for data at rest, then use the server-side encryption (SSE) options Amazon S3 managed\r\nkeys (SSE-S3), AWS Key Management Service (AWS KMS) keys (SSE-KMS), or customer-provided keys (SSE-C). SSE provides an additional layer of protection and detailed audit trails through CloudTrail. You can specify the\r\nSSE parameters when you write objects to the bucket. You can also turn on default encryption on your bucket with\r\nSSE-S3 or SSE-KMS.\r\nNote: Amazon S3 automatically turns on SSE-S3 for all new buckets.\r\nIf you require client-side encryption, then see Protecting data by using client-side encryption.\r\nRelated information\r\nIdentity and access management in Amazon S3\r\nData protection in Amazon S3\r\nHow do I require users from other AWS accounts to use MFA to access my Amazon S3 buckets?\r\nHow do I see who accessed my Amazon S3 buckets and objects?\r\nSource: https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/\r\nhttps://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/"
	],
	"report_names": [
		"secure-s3-resources"
	],
	"threat_actors": [],
	"ts_created_at": 1775434556,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fb5881ca7b0bb434e56c3d8abcb17297f12119e5.pdf",
		"text": "https://archive.orkl.eu/fb5881ca7b0bb434e56c3d8abcb17297f12119e5.txt",
		"img": "https://archive.orkl.eu/fb5881ca7b0bb434e56c3d8abcb17297f12119e5.jpg"
	}
}