thinkcloudly thinkcloudly

Welcome To
thinkcloudly AWS Training thinkcloudly

For Developers
thinkcloudly

thinkcloudly
S3
thinkcloudly

Instructor
thinkcloudly thinkcloudly thinkcloudly
Dr. Bisma Gulzar

Copyright thinkcloudly, All rights reserved

thinkcloudly Questions? thinkcloudly

thinkcloudly thinkcloudly
What is S3?

thinkcloudly

S3 Introduction 0 0 S3 Encryption 0 S3 Bucket Policies 0

thinkcloudly 1 thinkcloudly
1 2 3

S3 Security 0 S3 Console 0 S3 Websites 0

0
4 5 6
6
0
thinkcloudly
0 thinkcloudly
0 thinkcloudly
7 8 S3 CORS 0 9
7
Copyright thinkcloudly, All rights reserved
 Simple Storage Servicethinkcloudly
thinkcloudly
(AWS S3)
Amazon S3 is one of the main building blocks of AWS. It advertised as “infinitely scaling storage”
and offers Integrations with other AWS services as well.

0 AWS Buckets
thinkcloudly
1thinkcloudly
Store objects (files)

0 Objects
5 TB – max Object size. Multi parts ofthinkcloudly
2 5GB

0 Versioning
Protects against unintended
3 thinkcloudly
deletes
thinkcloudly

0 Encryptions
4 Multiple ways to encrypt

thinkcloudly
0 Security and bucket policies thinkcloudly thinkcloudly
5 At IAM and resource level

Copyright thinkcloudly, All rights reserved

 thinkcloudly
S3 Encryptionsthinkcloudly
SSE - S3 0 0 SSE-KMS
• Encrypts S3 objects using key
handled and managed by

•
AWS.
thinkcloudly
Object is encrypted server
1 2 • Encryption using keys handed
thinkcloudly
& managed by KMS.
side • KMS: user control + Audit trail
• Use AES-256 encryption type S3 • Object is encrypted at server
• Must set header “x-amz- Encryptions side.
server-side- • Must set header “x-amz-
encryption”:”AES256” thinkcloudly
server-side-encryption”:”KMS”

SSE-C Client Side

thinkcloudly thinkcloudly
Encryption
• Keys managed by customer
outside of AWS.
0 0 • Uses client library such as Amazon
S3 encryption client.
• Client encrypt data before sending
• AWS does not store encryption
key. 3 4 •
to S3.
Client decrypt data when retrieving
• HTTPS must be used.
from S3.
• Encryption key must be provided • Customer manages the keys and
in the HTTP header.
thinkcloudly thinkcloudly
Encryption in Transit (SSL/TLS)
thinkcloudly
encryption cycle
• AWS S3 exposes both HTTP and HTTPS endpoints
• HTTPS is recommended and preferred by most of the clients.
• HTTPS is mandatory for SSE-C
• Encryption in flight is also called as SSL/TLS
Copyright thinkcloudly, All rights reserved
 thinkcloudly S3 Bucket Policies
thinkcloudly

JSON Resources
Policies are inthinkcloudly
JSON thinkcloudly
format and use the Buckets and objects
policy generator
thinkcloudly

Public access Force Objects

S3 Bucket Encryption at
Grant public accessthinkcloudly thinkcloudly
Policies upload

Cross Account Prevent Leaks

Grantthinkcloudly
access to thinkcloudly thinkcloudly
Policies prevents
another account data leaks

Copyright thinkcloudly, All rights reserved

thinkcloudly S3 Security thinkcloudly

thinkcloudly 0 thinkcloudly
Networking
1 Supports VPC Endpoints

thinkcloudly
0 Logging and Audit
2 S3 Access logs in S3 bucket

thinkcloudly 0 API calls to S3

thinkcloudly
3 Logged in AWS cloud trail

0 MFA: Delete
4 Required to delete objects
thinkcloudly thinkcloudly thinkcloudly
0 Pre-Signed URLs
5 URLs that are valid only for limited time
Copyright thinkcloudly, All rights reserved
thinkcloudly S3 Websites thinkcloudly

Host static
thinkcloudly
01 Websites
thinkcloudly
Access on WWW

thinkcloudly
Bucket URL
<bucket-name>.s3- 02
website.<region>.amazon
aws.com.
thinkcloudly thinkcloudly Error
Forbidden
03 Allow bucket policy
for public
Payment UI
app
thinkcloudly 04thinkcloudly thinkcloudly
Just an example

Copyright thinkcloudly, All rights reserved

AWS S3 Console
Thank You