Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Question about to secure S3

0

As captioned, how to secure S3 bucket in multi-account environments?

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
asked a year ago115 views
2 Answers
6
Accepted Answer

Take this:

  1. Use Bucket Policies with aws:PrincipalOrgID
{
  "Effect": "Allow",
  "Principal": "*",
  "Action": "s3:*",
  "Resource": "arn:aws:s3:::your-bucket-name/*",
  "Condition": {
    "StringEquals": {
      "aws:PrincipalOrgID": "EXAMPLE"
    }
  }
}
  1. Set Up Cross-Account IAM Roles • In the bucket-owning account, create a role with permissions to access the bucket. • In the other account, allow users or services to assume that role. • This is more scalable and auditable than using access keys.
  2. Disable ACLs and Use Bucket Owner Enforced Mode • ACLs are legacy and messy. • Use S3 Object Ownership to enforce that the bucket owner owns all objects. • This simplifies access control and avoids ownership conflicts.
  3. Enable Logging and Access Analyzer • Turn on S3 server access logging or CloudTrail data events to monitor usage. • Use IAM Access Analyzer to detect unintended public or cross-account access.
  4. Use VPC Endpoints for Private Access • If your workloads are in VPCs, use S3 Gateway Endpoints to keep traffic off the public internet. • Combine with bucket policies that only allow access via the endpoint.
EXPERT
answered a year ago
AWS
EXPERT
reviewed a year ago
0

For securing S3 buckets across AWS accounts, here are the key security measures to implement:

  1. Set up cross-account IAM roles instead of using access keys, as this provides better scalability and auditability.

  2. For encryption requirements:

  • Use either SSE-KMS with customer managed keys (CMK) or SSE-S3 encryption
  • Avoid AWS managed SSE-KMS keys as they don't allow cross-account access
  1. Configure access controls:
  • Disable ACLs and use bucket owner enforced mode to simplify access management
  • Enable logging and use IAM Access Analyzer to detect unintended public or cross-account access
  • Use VPC endpoints for private access to keep traffic within AWS network

When implementing cross-account permissions:

  • Configure bucket policies to allow only required roles from other accounts
  • Ensure KMS key policies grant appropriate permissions if using customer managed keys
  • Follow principle of least privilege when granting access

For monitoring and compliance:

  • Enable CloudTrail for detailed action logging
  • Set up access logging to track bucket usage
  • Regularly review and audit access patterns

Reference

  1. How do I grant cross-account access to objects that are in Amazon S3 buckets?
  2. Using AWS Identity and Access Management Access Analyzer
  3. Enabling CloudTrail event logging for S3 buckets and objects
AWS
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content