Security - AWS Storage Services Overview

Security

Amazon S3 is highly secure. It provides multiple mechanisms for fine-grained control of access to Amazon S3 resources, and it supports encryption.

You can manage access to Amazon S3 by granting other AWS accounts and users permission to perform the resource operations by writing an access policy.

You can protect Amazon S3 data at rest by using server-side encryption, in which you request Amazon S3 to encrypt your object before it’s written to disks in data centers and decrypt it when you download the object or by using client-side encryption, in which you encrypt your data on the client side and upload the encrypted data to Amazon S3. You can protect the data in transit by using Secure Sockets Layer (SSL) or client-side encryption.

You can use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. With versioning, you can easily recover from both unintended user actions and application failures. Additionally, you can add an optional layer of security by enabling Multi-Factor Authentication (MFA) Delete for a bucket. With this option enabled for a bucket, two forms of authentication are required to change the versioning state of the bucket or to permanently delete an object version: valid AWS account credentials plus a six- digit code (a single-use, time-based password) from a physical or virtual token device.

To track requests for access to your bucket, you can enable access logging. Each access log record provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and error code, if any. Access log information can be useful in security and access audits. It can also help you learn about your customer base and understand your Amazon S3 bill.