- Newest
- Most votes
- Most comments
The question here is not completely clear to me, but I can suggest a few items.
- Block public access to the bucket!
- Enable data encryption on the bucket!
- Control access to the bucket via a bucket policy.
- There are options to control the ownership of object in buckets.
If you control the AWS Organizations organisation that the AWS accounts belong to that host the Lambda functions, IAM roles used as Lambda execution roles, their attached IAM policies, and the S3 bucket and its bucket policy, along with KMS keys for the S3 buckets or other related elements that you might be using, you could use a Service Control Policy (SCP) controlled at the organisation level to protect all those resources against changes, except by a deployment/management principal, likely an IAM role, which you would control and which you would separately protect against changes (including particularly the management role's assume role policy) with an SCP. SCPs are also effective at blocking the root user from performing those actions.
CloudFormation StackSets integrates with AWS Organizations in a way that makes it comparatively easy to deploy and update your code and associated elements across the accounts and regions you want.
It's useful to understand, however, that setting up the SCPs, identity-based policies, and resource-based policies such that all avenues for others to access or modify them are blocked can be quite intricate. Without an advanced level skillset in IAM, the setup isn't likely to end up airtight.
If you don't control the organisation, you aren't using one, or your adversary controls it, and the Lambda functions are having to reside in that untrusted account or org, there's no practical way for you to protect the data against those with control over the accounts/org.
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
All the bucket-related mechanisms are useless against the root user of the account. Root has a hardwired override (only possible to countermand with an SCP) that allows it to modify or delete an S3 bucket policy. That would allow them to defeat all the bucket-related items you listed. The only thing root couldn't overrule is a KMS key policy, but they could simply make a copy of the Lambda function and modify it to deliver the data to a bucket they control instead, or any number of variations of that theme. Or, they could simply open a support ticket and ask support to reset the KMS key policy.