By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 PUT REQUEST LIMITS PAR DAY

0

Hi,

I currently have an s3 bucket.

I would like to backup every day a Mysql database that runs on a VPS.

In the event that my VPS and its root access become compromised, I would like to protect my s3 bucket data.

For this I was told to use an AWS IAM user with this ONLY the PUT permission on the s3 bucket

But I still have a question to solve, an attacker can always if he has managed to get my IAM credentials from the backup script,

-> To put lots of files in my s3 to dangerously raise my s3 bill

-> I know I can make invoice cost alerts but I want to directly BLOCK/LIMIT my s3

-> I would like to allow a certain max size of go per upload/put file

-> And most importantly, allow a certain number of PUT requests per day

Can you explain to me how to do this?

Topics
StorageSecurity, Identity, & ComplianceDatabase
Tags
Amazon Simple Storage ServiceStorageIAM PoliciesMySQL
Language
English
Paul
asked 9 months ago320 views
1 Answer
1

To best of my knowledge, there is no such feature, which can limit number of request per day to s3 bucket. Maximum size of a single file that can be uploaded is 5GB and this can't be adjusted. You'll need to add more detective and preventive controls, which can tighten the security of AWS account and bucket and alert you as any compromise happens.

First of all, you should have a strict bucket policy(DenyAllExcept), which denies everyone and allows specific set of users, if that bucket has sensitive data and you want to secure it in a better way, follow this blog post.

{
    "Id": "DenyAllExcept",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "s3:*",
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": [
                    "arn:aws:iam::<Account_Id>:user/<user_name>"
                ]
            },
            "Resource": [
                "arn:aws:s3:::<bucket_name>",
                "arn:aws:s3:::<bucket_name>/*"
            ]
        }
    ]
}

This is just an example and can further be restricted to allowed user with only required action instead of "*".

Also add an extra layer of security to your s3 bucket by adding an encryption using SSE-KMS CMK and add KMS key resource policy in the key to deny access to everyone except intended user/roles. Refer key policies documentation. This way, your bucket would have an extra layer of security, where a user would not only need access to your bucket but also that KMS key.

This re:Post Knowledge Center Article covers this topic very well, so please go through this article and see how you can secure your s3 bucket from attacks. Also go through AWS S3 best practices.

What to do, if your IAM user credentials are exposed or leak:

Consider services such as AWS Guardudty, Cloudtrail, Security Hub, Config for better security posture and monitoring of your AWS account and underlying resources.

Hope this helps.

PS: This answer is not the direct answer to your question but more towards how to avoid that happening.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered 9 months ago
  • secondabhi_aws EXPERT
    9 months ago

    Do you have any further questions, happy to help.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content