From the course: Complete Guide to AWS Security and Compliance Management

Exploring S3 management options - Amazon Web Services (AWS) Tutorial

From the course: Complete Guide to AWS Security and Compliance Management

Start my 1-month free trial Buy for my team

Exploring S3 management options

- [Instructor] Simple Storage Service, or S3, is one of the oldest service offerings in the AWS portfolio. S3 provides object storage. With literally trillions of files stored as objects, it's safe to say that S3 is also quite widely used. You can interact with S3 directly via the web console or a variety of available third-party tools. Machines interact with S3 programmatically using the CLI or using one of the many software development kits provided by AWS. These SDKs are available for many popular programming languages. Machines with an AWS Virtual Private Cloud in your account can interact directly with S3 using a VPC endpoint. It's helpful to understand how S3 is organized. Let's reinforce some AWS specific object-related storage terminology. First off, there's the S3 bucket. It helps to think of a bucket as a folder, a container in which you can store a number of objects. What do you put in a bucket? Well, in S3 terms, you put objects in a bucket. It's helpful to think of objects as files. Objects can be binary files of different types such as pictures or word processing documents. They can also be simple text files. Essentially, any digital document that you want to store can be considered an object. Objects are placed into buckets. This is analogous to a folder on your desktop or laptop containing various files of differing types. It's important to keep these in your head as it's possible to establish security controls at both the bucket and object levels. Going forward, we'll explore a variety of approaches for managing access to S3. These will include VPC endpoints. VPC endpoints are useful because they keep network traffic between S3 objects and resources within your AWS account private. That is, they don't traverse the public internet. Identity and access management policies are constructs within an AWS account that defines what users can and cannot do. In the context of S3, IAM policies are useful since they can be applied to IAM users, groups, and roles. Of course, roles can be assigned directly to various compute resources like EC2 instances. S3 bucket policies are security controls placed at the individual bucket level. S3 ACLs are applied to individual objects within an S3 bucket. Unless you really need to control access to individual objects, it's unlikely that you'll use ACLs as a security control. S3 Access Grants let you map identities from your corporate identity store or from AWS IAM to permissions within S3. Note that you are limited to one instance of S3 Access Grants per AWS region in an account. S3 Access Points let you create a network endpoint for access to S3. You can make these access points publicly accessible, or you can limit them to a specific VPC. Within a single AWS account, it's a good idea to create separate buckets for publicly accessible data, like web content, and privately accessible data, like internal financial documents. That way, if you have users coming from the internet, you can be confident that they'll have access to the data intended to be shared with the world, with your private assets in another bucket, you can rest assured that it is protected from the public eye. Depending on how sophisticated your organizational requirements are, you may wish to create separate AWS accounts for public and private data. In addition to ensuring that public users have the appropriate access while safeguarding your internal assets, this approach also facilitates taking advantage of account level controls for controlling public access. As you can imagine, this can make the structure and management of multiple S3 buckets quite complex.

Contents