Unmatched security, compliance, and audit capabilities

Store your data in Amazon S3 and secure it from unauthorized access with encryption features and access management tools. S3 encrypts all object uploads to all buckets. S3 is the only object storage service that allows you to block public access to all of your objects at the bucket or the account level with S3 Block Public Access. S3 maintains compliance programs, such as PCI-DSS, HIPAA/HITECH, FedRAMP, EU Data Protection Directive, and FISMA, to help you meet regulatory requirements. AWS also supports numerous auditing capabilities to monitor access requests to your S3 resources.

Introduction to Amazon S3 access management & security (3:05)

Amazon S3 security and access management

To protect your data in Amazon S3, by default, users only have access to the S3 resources they create. You can grant access to other users by using one or a combination of the following access management features: AWS Identity and Access Management (IAM) to create users and manage their respective access; Access Control Lists (ACLs) to make individual objects accessible to authorized users; bucket policies to configure permissions for all objects within a single S3 bucket; and Query String Authentication to grant time-limited access to others with temporary URLs. Amazon S3 also supports Audit Logs that list the requests made against your S3 resources for complete visibility into who is accessing what data.

S3 Block Public Access

Block Public Access

With a few clicks in the S3 management console, you can apply S3 Block Public Access to every bucket in your account—both existing and any new buckets created in the future—and make sure that there is no public access to any object. All new buckets have Block Public Access enabled by default. To restrict access to all existing buckets in your account, you can enable Block Public Access at the account level. S3 Block Public Access settings override S3 permissions that allow public access, making it easy for the account administrator to set up a centralized control to prevent variation in security configuration regardless of how an object is added or a bucket is created.

S3 Object Lock

Object Lock

Amazon S3 Object Lock blocks object version deletion during a customer-defined retention period so that you can enforce retention policies as an added layer of data protection or for regulatory compliance. You can migrate workloads from existing write-once-read-many (WORM) systems into Amazon S3, and configure S3 Object Lock at the object- and bucket-levels to prevent object version deletions prior to pre-defined Retain Until Dates or Legal Hold Dates.

S3 Object Ownership

Object Ownership

Amazon S3 Object Ownership disables Access Control Lists (ACLs), changing ownership for all objects to the bucket owner and simplifying access management for data stored in S3. When you configure the S3 Object Ownership Bucket owner enforced setting, ACLs will no longer affect permissions for your bucket and the objects in it. All access control will be defined using resource-based policies, user policies, or some combination of these. ACLs are automatically disabled for new buckets. You can use S3 Inventory to review ACLs usage in your buckets before enabling S3 Object Ownership when migrating to IAM-based buckets policies. For more information, see Controlling Object Ownership.

Identity and Access Management

Identity and Access Management

By default, all Amazon S3 resources—buckets, objects, and related subresources—are private: only the resource owner, an AWS account that created it, can access the resource. Amazon S3 offers access policy options broadly categorized as resource-based policies and user policies. You may choose to use resource-based policies, user policies, or some combination of these to manage permissions to your Amazon S3 resources. By default, an S3 object is owned by the account that created the object, including when this account is different than the bucket owner. You can use S3 Object Ownership to disable Access Control Lists and change this behavior. If you do, each object in a bucket is owned by the bucket owner. For more information, see Identity and access management in Amazon S3.

Amazon Macie

Amazon Macie

Discover and protect sensitive data at scale in Amazon S3 with Amazon Macie. Macie automatically provides you with a full inventory of your S3 buckets by scanning buckets to identify and categorize the data. You receive actionable security findings enumerating any data that fits these sensitive data types, including personal identifiable information (PII) (e.g. customer names and credit cards numbers), and categories defined by privacy regulations, such as GDPR and HIPAA. Macie also automatically and continually evaluates bucket-level preventative controls for any buckets that are unencrypted, publicly accessible, or shared with accounts outside of your organization, allowing you to quickly address unintended settings on buckets.

Encryption

Encryption

Amazon S3 automatically encrypts all object uploads to all buckets. For object uploads, Amazon S3 supports server-side encryption with four key management options: SSE-S3 (the base level of encryption), SSE-KMS, DSSE-KMS, and SSE-C, as well as client-side encryption. Amazon S3 offers flexible security features to block unauthorized users from accessing your data. Use VPC endpoints to connect to S3 resources from your Amazon Virtual Private Cloud (Amazon VPC). Use S3 Inventory to check the encryption status of your S3 objects  (see storage management for more information on S3 Inventory).

Video: Amazon S3 data encryption overview »

AWS Trusted Advisor

AWS Trusted Advisor

Trusted Advisor inspects your AWS environment and then makes recommendations when opportunities exist to help close security gaps. 

Trusted Advisor has the following Amazon S3-related checks: logging configuration of Amazon S3 buckets, security checks for Amazon S3 buckets that have open access permissions, and fault tolerance checks for Amazon S3 buckets that don't have versioning enabled, or have versioning suspended.

AWS PrivateLink for S3

Access Amazon S3 directly as a private endpoint within your secure, virtual network with AWS PrivateLink for S3. Simplify your network architecture by connecting to S3 from on-premises or in the cloud using private IP addresses from your Virtual Private Cloud (VPC). You no longer need to use public IPs, configure firewall rules, or configure an internet gateway to access S3 from on-premises.

Verify data integrity

Verify data integrity

By default, the latest AWS SDKs automatically calculate efficient CRC-based checksums for all uploads. S3 independently verifies that checksum and only accepts objects after confirming that data integrity was maintained in transit over the public internet. If a version of the SDK that does not provide pre-calculated checksums is used to upload an object, S3 calculates a CRC-based checksum of the whole object, even for multipart uploads. Checksums are stored in object metadata and are therefore available to verify data integrity at any time. Choose from five supported checksum algorithms (SHA-1, SHA-256, CRC32, CRC32C or CRC64NVME) to check data integrity on your upload and download requests. Automatically calculate and verify checksums as you store or retrieve data from Amazon S3, and access the checksum information at any time using the HeadObject S3 API, GetObjectAttributes S3 API, or an S3 Inventory report.

Tech Talk: Get started with checksums in Amazon S3 for data integrity checking » Blog: Building scalable checksums » Blog: Enabling and validating additional checksums on existing objects in Amazon S3 »

How it works

  • AWS PrivateLink for Amazon S3
  • Establish a direct private connection from on-premises to Amazon S3. To get started, please read the AWS PrivateLink for S3 documentation

    Security with AWS PrivateLink for S3
  • Amazon Macie
  • Discover and protect your sensitive data at scale. To get started with Amazon Macie, visit the website.

    Security with Amazon Macie
  • S3 Block Public Access
  • Block all public access to Amazon S3 now, and in the future. To learn more about S3 Block Public Access, visit the webpage.

    Security with S3 Block Public Access
  • Amazon GuardDuty for S3
  • Protect your Amazon S3 data with intelligent threat detection, continuous monitoring, and malware scanning. To learn more about Amazon GuardDuty for Amazon S3, visit the webpage.

    Security with Amazon GuardDuty for S3

Amazon S3 security, access management, encryption, and data protection resources

Read the Amazon S3 Security and Data Protection eBook to learn tools and best practices for access management, auditing and monitoring, and data protection.

In this Amazon S3 data protection overview video, you'll learn about the native data protection features in Amazon S3 including S3 Versioning, S3 Object Lock, and S3 Replication. You'll get a brief overview of each of these S3 data protection features, learn how these features can help you meet your data protection goals, and get useful tips on how to protect your data using Amazon S3.

Amazon S3 data protection overview - Versioning, Object Lock, & Replication (7:41)

Organizations are constantly creating and migrating business-critical digital assets into Amazon S3. As assets are migrated and used across workflows, it is important to ensure files remain unaltered by network corruption, hard drive failure, or other unintentional issues. Algorithms are used to scan files byte by byte to generate unique fingerprints for them, known as checksums. In this tech talk, learn how you can use checksums to verify assets are not altered when copied. Explore multiple Amazon S3 checksum options for accelerating integrity checking of data, and discover how you can confirm that every byte is transferred without alteration, allowing you to maintain end-to-end data integrity.

Get started with checksums in Amazon S3 for data integrity checking (30:14)

Strong adherence to architecture best practices and proactive controls is the foundation of storage security and access controls. In this video, learn best practices for data security in Amazon S3. Review the fundamentals of Amazon S3 security architecture and dive deep into the latest enhancements in usability and functionality. Consider options for encryption, access control, security monitoring, auditing, and remediation.

Amazon S3 security and access control best practices (45:47)

Amazon S3 automatically encrypts all object uploads to all buckets. For object uploads, Amazon S3 supports server-side encryption with four key management options: SSE-S3 (the base level of encryption), SSE-KMS, DSSE-KMS, and SSE-C, as well as client-side encryption. Amazon S3 offers granular access controls to suit any workload. In this video, learn Amazon S3 encryption and access control best practices. 

Amazon S3 encryption and access control best practices (44:50)

At creation and by default, all S3 resources are private and can only be accessed by the resource owner or account administrator. This security design lets you configure finely-tuned access policies that align to organizational, governance, security, and compliance requirements. In this video, learn the different ways you can manage access to your data using AWS Identity and Access Management (IAM) and S3 bucket policies.

 

 

Amazon S3: Configuring Access Policies (10:36)

S3 is designed for 11 9s of durability, strong resiliency, and high availability. However, even the most durable storage cannot protect against unintended or accidental deletions. Additionally, ransomware events are a prime reason to evaluate additional protection for your critical data. Learn about S3 features that provide additional layers of protection, including S3 Versioning, S3 Cross-Region Replication (CRR), and S3 Object Lock.

Beyond 11 9s of durability: Data protection with Amazon S3 (54:59)

S3 Security blogs

AWS News Blog


Amazon S3 encrypts new objects by default

Amazon S3 encrypts all new objects by default. As of January 5, 2023, S3 automatically applies server-side encryption (SSE-S3) for each new object, unless you specify a different encryption option. This change puts another security best practice into effect automatically—with no impact on performance and no action required on your side.

Read the blog »

AWS News Blog


Heads-up: Amazon S3 security changes are coming in April of 2023

Starting in April of 2023, we will be making two changes to Amazon S3 to put our latest best practices for bucket security into effect automatically. Once the changes are in effect for a target Region, all newly created buckets in the Region will by default have S3 Block Public Access enabled and ACLs disabled. 

Read the blog »

AWS News Blog


Simplify access management for data stored in Amazon S3

The new Amazon S3 Object Ownership setting, Bucket owner enforced, lets you disable all of the ACLs associated with a bucket and the objects in it. When you apply this bucket-level setting, all of the objects in the bucket become owned by the AWS account that created the bucket, and ACLs are no longer used to grant access. 

Read the blog »

AWS NEWS BLOG


New – Amazon S3 Dual-Layer Server-Side Encryption with Keys Stored in AWS Key Management Service (DSSE-KMS)

Customers can now apply two independent layers of server-side encryption to objects in Amazon S3. Dual-layer server-side encryption with keys stored in AWS Key Management Service (DSSE-KMS) is designed to meet National Security Agency CNSSP 15 for FIPS compliance and Data-at-Rest Capability Package (DAR CP) Version 5.0 guidance for two layers of CNSA encryption. Amazon S3 is the only cloud object storage service where customers can apply two layers of encryption at the object level and control the data keys used for both layers.

Read the blog »
Learn more about Amazon S3

Learn about Amazon S3 features.

Learn more 
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Start building in the console

Get started building with Amazon S3 in the AWS Management Console.

Sign in