S3 PUT REQUEST LIMITS PAR DAY

Question

Hi,

I currently have an s3 bucket.

I would like to backup every day a Mysql database that runs on a VPS.

In the event that my VPS and its root access become compromised, I would like to protect my s3 bucket data.

For this I was told to use an AWS IAM user with this ONLY the PUT permission on the s3 bucket

But I still have a question to solve, an attacker can always if he has managed to get my IAM credentials from the backup script,

-> To put lots of files in my s3 to dangerously raise my s3 bill

-> I know I can make invoice cost alerts but I want to directly BLOCK/LIMIT my s3

-> I would like to allow a certain max size of go per upload/put file

-> And most importantly, allow a certain number of PUT requests per day

Can you explain to me how to do this?

Answer

To best of my knowledge, **there is no such feature, which can limit number of request per day to s3 bucket.** Maximum size of a single file that can be uploaded is 5GB and this can't be adjusted. You'll need to add more detective and preventive controls, which can tighten the security of AWS account and bucket and alert you as any compromise happens.

First of all, you should have a strict bucket policy(DenyAllExcept), which denies everyone and allows specific set of users, if that bucket has sensitive data and you want to secure it in a better way, follow this [blog post](https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/).

{
        "Id": "DenyAllExcept",
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": "s3:*",
                "Effect": "Deny",
                "NotPrincipal": {
                    "AWS": [
                        "arn:aws:iam:::user/"
                    ]
                },
                "Resource": [
                    "arn:aws:s3:::",
                    "arn:aws:s3:::/*"
                ]
            }
        ]
    }

This is just an example and can further be restricted to allowed user with only required action instead of "*".

Also add an extra layer of security to your s3 bucket by adding an encryption using SSE-KMS CMK and add KMS key resource policy in the key to deny access to everyone except intended user/roles. Refer [key policies documentation](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html). This way, your bucket would have an extra layer of security, where a user would not only need access to your bucket but also that KMS key.

This [re:Post Knowledge Center Article](https://repost.aws/knowledge-center/secure-s3-resources) covers this topic very well, so please go through this article and see how you can secure your s3 bucket from attacks. Also go through [AWS S3 best practices](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html).

What to do, if your IAM user credentials are exposed or leak:

- [Potential Account Compromise](https://repost.aws/knowledge-center/potential-account-compromise) 
- [What to Do If You Inadvertently Expose an AWS Access Key](https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/)

Consider services such as AWS Guardudty, Cloudtrail, Security Hub, Config for better security posture and monitoring of your AWS account and underlying resources.

Hope this helps.

PS: This answer is not the direct answer to your question but more towards how to avoid that happening.

Abhishek

S3 PUT REQUEST LIMITS PAR DAY

相关内容