- TechOps Examples
- Posts
- How to Use S3 Buckets Securely for Public Data Storage
How to Use S3 Buckets Securely for Public Data Storage
TechOps Examples
Hey — It's Govardhana MK 👋
Along with a use case deep dive, we identify the top news, tools, videos, and articles in the TechOps industry.
IN TODAY'S EDITION
🧠 Use Case
How to Use S3 Buckets Securely for Public Data Storage
🚀 Top News
📽️ Videos
7 Linux Terminal Tricks You’ll Use EVERY Day - Once Learned
How to Set Up Crossplane and Manage Configuration Drift in Real-Time
📚️ Resources
gcloud CLI cheat sheet
Awesome Docker Compose samples
8 Must Knows Before Using AWS Security Groups
🛠️ TOOL OF THE DAY
terraform-aws-clickops-notifier - Get notified when actions are taken in the AWS Console.
🧠 USE CASE
How to Use S3 Buckets Securely for Public Data Storage
Misconfigured S3 buckets are a leading cause of data leaks in the cloud. Public access settings often expose private information to the internet, costing companies millions and damaging customer trust.
Can’t believe?
Here's a short list of incidents involving S3 hacks.
AWS S3 buckets are often used for public resources like avatars, product listings, and media files.
While we can’t cover every scenario, let’s examine two secure ways to upload data to S3:
Client Upload via API Server:
The client uploads data to the company’s API server first.
Here, validations can be done on the file type, size, or any other criteria before it is stored in S3.
The server proxies to S3, storing validated data and returning a secure URL.
This setup adds a layer of control and security by preventing direct client access to the S3 bucket.
Direct Client Upload with Pre-Signed URLs:
Another option is to let clients upload directly to S3 using a pre-signed URLs.
This method can streamline uploads but to secure direct uploads to S3, you set a bucket policy with typical restrictions including:
Allow Specific File Extensions: Permit the
s3:PutObject
action only for files with certain extensions (e.g.,.jpg
,.png
,.gif
).Deny All Others: Explicitly deny the
s3:PutObject
action for any files not matching these extensions. This explicit deny statement applies to all users, including those with full permissions to your S3 resources.
Here’s a sample bucket policy:
{
"Version": "2012-10-17",
"Id": "Policy1464968545158",
"Statement": [
{
"Sid": "AllowSpecificExtensions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/tmpuser"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::techops-bucket/*.jpg",
"arn:aws:s3:::techops-bucket/*.png",
"arn:aws:s3:::techops-bucket/*.gif"
]
},
{
"Sid": "DenyOtherExtensions",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"NotResource": [
"arn:aws:s3:::techops-bucket/*.jpg",
"arn:aws:s3:::techops-bucket/*.png",
"arn:aws:s3:::techops-bucket/*.gif"
]
}
]
}
Note:
This policy's explicit deny can lock out even the creator if conditions aren’t met—review carefully before saving.
Bucket policy evaluation is case-sensitive; denying
NotResource "arn:aws:s3:::techops-bucket/*.jpg"
allowsmy_image.jpg
but deniesmy_image.JPG
.
Check out some Amazon S3 bucket policies examples.
Essential Security Practices for Public S3 Buckets:
Enable logging for all S3 bucket activities to track access and changes.
Use object-level access control lists (ACLs) cautiously and only when absolutely necessary.
Review bucket policies regularly, especially after permissions or team changes.
Set up automated monitoring to detect any configuration drift in bucket settings.
Enable versioning to recover from unintended deletions or modifications.
Use bucket encryption to protect data even if the bucket is publicly accessible.
Remember, we are as good as our weakest link.