This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
Secure storage
The Secure Storage component provides the capability to securely store critical files for an enterprise (for example, backup data, configuration files, logs, golden images, and other files critical to both system operation and the organization’s mission).
Table 14 — Secure storage capability and the associated AWS services
| Capability and CSF mapping | AWS service | AWS service description | Function |
AWS GovCloud (US) |
|---|---|---|---|---|
|
Secure Storage PR.DS-1, PR.IP-4 |
Access
Analyzer for S3 |
Access Analyzer for S3 is a feature that monitors your bucket access policies, ensuring that the policies provide only the intended access to your S3 resources. Access Analyzer for S3 evaluates your bucket access policies and enables you to discover and swiftly remediate buckets with potentially unintended access. When reviewing results that show potentially shared access to a bucket, you can Block All Public Access to the bucket with a single click in the S3 console. For auditing purposes, Access Analyzer for S3 findings can be downloaded as a CSV report. |
Provides analysis capabilities for validating appropriate access controls. | Yes |
|
Amazon EBS |
Amazon EBS enables you to configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example, Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot. |
Provides enforcement of encryption of block storage and snapshots. | Yes | |
|
AWS KMS |
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control AWS KMS keys, the encryption keys used to encrypt your data. AWS KMS CMKs are protected by hardware security modules (HSMs) that are validated by the FIPS 140-2 Cryptographic Module Validation Program except in the China (Beijing) and China (Ningxia) Regions. |
Easily create and control the keys used to encrypt or digitally sign your data. | Yes | |
|
Amazon Macie |
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. | This control discovers and protect sensitive data using machine learning and pattern matching. | No | |
|
To protect your data in Amazon S3, by default, users only have access to the S3 resources they create. You can grant access to other users by using one or a combination of the following access management features:
|
Provides access controls to limit access to stored objects to authorized principals. | Yes | ||
| AWS PrivateLink for S3 |
AWS PrivateLink for S3 provides private connectivity
between S3 and on-premises. You can provision interface
VPC endpoints for S3 in your VPC to connect your
on-premises applications directly with S3 over
AWS Direct Connect |
Provides a private network path for transmitting data to/from S3. | Yes | |
|
AWS Storage Gateway |
AWS Storage Gateway uses SSL/TLS (Secure Socket Layers/Transport Layer Security) to encrypt data that is transferred between your gateway appliance and AWS storage. By default, Storage Gateway uses Amazon S3-Managed Encryption Keys (SSE-S3) to server-side encrypt all data it stores in S3.
You have an option to use the Storage Gateway API to
configure your gateway to encrypt data stored in the
cloud using server-side encryption with
AWS Key Management Service For more. Information, see Data encryption using AWS KMS. |
Yes | ||
| Amazon VPC endpoints | A VPC endpoint enables private connections between your VPC and supported AWS services and VPC endpoint services powered by AWS PrivateLink. | Restrict access to specific resources. | Yes | |
|
Amazon EFS |
When using Amazon Elastic File System (Amazon EFS), you specify Amazon EC2 security groups for your EC2 instances and security groups for the EFS mount targets associated with the file system. A security group acts as a firewall, and the rules that you add define the traffic flow. | Yes | ||
|
S3
Block Public Access |
S3 Block Public Access is a set of security controls that ensures S3 buckets and objects do not have public access. | Provides safeguard to prevent unintentional S3 public access. | Yes | |
| S3 encryption | Amazon S3 supports both server-side encryption (with three key management options) and client-side encryption for data uploads. | Provides encryption at rest for stored objects. | Yes | |
| S3 MFA delete |
To help prevent accidental deletions, enable Multi-Factor Authentication (MFA) delete on an S3 bucket. If you try to delete an object stored in an MFA delete-enabled bucket, it will require two forms of authentication: your AWS account credentials and the concatenation of a valid serial number, a space, and the six-digit code displayed on an approved authentication device, like a hardware key fob or a Universal 2nd Factor (U2Fsecurity key. |
Provides safeguard against accidental deletions. | No | |
| S3 Object Lock | You can enforce write-once-read-many (WORM) policies with S3 Object Lock. This S3 management feature blocks object version deletion during a customer-defined retention period so that you can enforce retention policies as an added layer of data protection or to meet compliance obligations. | Provides WORM object storage for secure backups of integrity information; provides immutability of backups. | Yes | |
| S3 versioning | S3 versioning enables you to preserve, retrieve, and restore every version of an object stored in Amazon S3, which enables you to recover from unintended user actions and application failures. | Provides recovery from unintended user actions and application failures. | Yes |
