hamburger icon close icon
Compliance in the Cloud

AWS S3 Security: Getting More Secure Data Storage on Amazon S3

Amazon S3 (Amazon Simple Storage Service) is an object storage service with a web interface provided by Amazon Web Services (AWS). As one of the first cloud storage offerings, the service is immensely popular. But what are AWS S3 security capabilities? Is the immense amount of data that thousands of enterprises store there inherently safe?

In this article we’ll describe the challenges of providing proper AWS S3 security and how that can be achieved with the help of features such as Amazon S3 encryption, the AWS Policy Generator, and NetApp® Cloud Compliance for AWS S3 buckets, all of which can help ensure the security and compliance of the data in your AWS S3 buckets.

What Is AWS S3 Security All About?

Why should security play a crucial role when it comes to storing data in Amazon S3? Clients from different business sectors can use AWS S3 solutions for various reasons, such as collecting and securing large amounts of data used by and for websites, backups, archives, IoT devices, and big data analysis.

In Amazon S3, the customer is responsible for managing S3 buckets and the data transferred and saved on them. For their part of the shared liability model, AWS is responsible for maintaining the network, hardware security, and the availability of S3 services. There is no guarantee from AWS that they can keep your data on AWS S3 secure. That means security-relevant mistakes that could cause Amazon S3 data to be lost—and any subsequent compliance violations that might result from that loss—are completely on the user.

What steps can you take to help secure your AWS S3 buckets? Let’s take a closer look below.

Keep Your Guard Up

The first step to a more secure S3 deployment is to limit access to S3 data. Reducing access to the data storehouse will be one of the most beneficial things you can do to ensure better security. This will limit the bucket so that only the privileged users who really need access to the data in the bucket can access it.

After setting up an account in AWS S3 and creating an S3 bucket, the first thing you should do is to generate an AWS S3 Secret Access Key. This will let you set up a safer way to access the account later and adjust the service’s security-related settings.

The next important thing to do is to set up a method to continuously monitor your S3 resources. This isn’t just relevant to security, but is also an essential part of maintaining the robustness and performance of the service; as such monitoring data can help make a debug process easier, especially in cases of multi-point failures. There are several helpful techniques to track activities that take place in your buckets and objects, such as configuring AWS CloudTrail logs and enabling Amazon S3 server access logging.

Never Show Raw Data

In the data encryption process, data is transformed from raw form into an encoded form without losing information. After that, only allowed entities can read it. Data encryption helps preserve data against theft and other security threats.

What kind of data are mainly exposed to risk? That’s a big part of the challenge. Sensitive data is being collected all the time, using many cloud-based services, such as Office 365 and Google Drive. Such data as personally identifiable information (PII), protected health information (PHI), financial and payment data, and other confidential data can all be seriously put at risk if your bucket security is lax for any reason. This will bring you into direct violation when it comes to the growing number of data privacy regulations being enacted around the world today, such as GDPR and CCPA.

AWS offers several types of data encryption for AWS S3. The Amazon S3 encryption options include:

  • AWS S3 SSE-S3 Encryption: This option allows AWS to handle the key on behalf of the client but it demands that you trust Amazon in this case. There is no way to observe or encrypt data using the key directly. The raw data is encrypted using AWS’s standard methods.
  • AWS S3 SSE-C Encryption: This option manages the encryption and decryption of data for you, but the connection given by the client is used with each encryption or decryption request. In this approach Amazon does not save the key, so the client needs to keep this in a safe manner.
  • AWS S3 Client Side Encryption: In this case, all duty for encryption is assigned to the user. The user completes the encryption operations inside their own data center. After that, the already-encrypted data is pushed straight to AWS.

AWS Policy Generator

The next service to consider when looking to increase Amazon S3 security is the AWS Policy Generator. Applying this generator makes the process of forming policy papers for Amazon S3 is much easier.

Policies are objects in AWS which, in connection with identity of the user and the resource, define permissions. In turn, permissions determine if the user request should be allowed or disallowed. This tool makes it possible for users to build policies that manage access to several AWS products and resources, including Amazon S3. All the user has to do is select the type of policy to create.

The whole process includes only three steps: selecting a policy type, adding statement(s), and generating the policy. At the end of the generation process, a policy is ready to copy and paste it into a text file, which you can then use with APIs calls or command-line tools, as needed.

Using Machine Intelligence To Protect Sensitive Data

While it’s true that there are a number of different AWS S3 encryption options to keep your data stored there safe, when it comes to sensitive data and security-related issues, the more aware you are of the data, the better.

One way you can increase your data awareness is by making sure that you have a way to tell where your most sensitive data is stored. Pinpointing where this kind of data resides will not only help you protect that data, but also make it easier for you to comply with new data privacy regulations such as GDPR, which have completely transformed the way that companies are obligated to maintain sensitive data. It is crucial to start mapping private data in a more refined manner now.

Manually sorting and labelling data can take an immense amount of effort, requiring an expert to check each file and determine whether that specific set of data is sensitive or not, all while being aware of that data’s context. This level of manual intervention is simply not feasible to carry out in an enterprise IT deployment. Using a simple search function to sort data also fails here, as it will return irrelevant results just as often as relevant ones, and again require human intervention. A more flexible and accurate approach can be acheived by using AI-driven data mapping techniques such as NetApp Cloud Compliance.

Cloud Compliance for Amazon S3 buckets can be run with a few simple clicks to map all the sensitive private data that exists within all your S3 buckets, and returns results that can help isolate that data to help keep it secure and report on it for compliance purposes.


There’s no question about it: there are always threats when it comes to IT infrastructure. In response, AWS S3 security levels and new protection methods are guaranteed to ramp up in the coming years. The main catalyst for this will be the further development of AWS infrastructure and more and more dissemination of cloud storage solutions and growing expectations in connection to the security level.

Techniques and solutions given in this short article are a cross-section of solutions that can be applied now in your own Amazon S3 buckets. All S3 users should utilize these tools for their specific advantages: restricting access through permissions, encrypting data so it stays secure, producing policy reports to intentionally and flexibly manage access to resources, and avoiding compliance violations with data mapping technology such as NetApp Cloud Compliance

To try out Cloud Compliance today for your Amazon S3 buckets click here

New call-to-action

Senior Marketing and Strategy Manager