AWS助理架构师认证培训 | Amazon S3 Security

视频来源：B站《AWS 认证解决方案架构师 助理级 SAA-C03》

一边学习一边整理老师的课程内容及试验笔记，并与大家分享，侵权即删，谢谢支持！

附上汇总贴：AWS助理架构师认证培训 | 汇总_热爱编程的通信人的博客-CSDN博客

---

S3 Encryption

Amazon S3 - Object Encryption

• You can encrypt objects in S3 buckets using one of 4 methods
• Server-Side Encryption (SSE)Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)Encrypts S3 objects using keys handled, managed, and owned by AWS Server-Side Encryption with KMS Keys stored in AWS KMS (SSE-KMS)Leverage AWS Key Management Service (AWS KMS) to manage encryption keys Server-Side Encryption with Customer-Provided Keys (SSE-C)When you want to manage your own encryption keys
• Client-Side Encryption
• It's important to understand which ones are for which situation for the exam

Amazon S3 Encryption - SSE-S3

• Encryption using keys handled, managed, and owned by AWS
• Object is encrypted server-side
• Encryption type is AES-256
• Must set header "x-amz-server-side-encryption":"AES256"

Amazon S3 Encryption - SSE-KMS

• Encryption using keys handled and managed by AWS KMS (Key Management Service)
• KMS advantages: user control + audit key usage using CloudTrail
• Object is encrypted server side
• Must set header "x-amz-server-side-encryption":"aws:kms"

SSE-KMS Limitation

• lf you use SSE-KMS, you maybe impacted by the KMS limits
• When you upload, it calls the GenerateDataKey KMS API
• When you download, it calls the Decrypt KMS API
• Count towards the KMS quota per second (5500, 10000, 30000 req/s based on region)
• You can request a quota increase using the Service Quotas Console

Amazon S3 Encryption - SSE-C

• Server-Side Encryption using keys fully managed by the customer outside of AWS
• Amazon S3 does NOT store the encryption key you provide
• HTTPS must be used
• Encryption key must provided in HTTP headers, for every HTTP request made

Amazon S3 Encryption - Client-Side Encryption

• Use client libraries such as Amazon S3 Client-Side Encryption Library
• Clients must encrypt data themselves before sending to Amazon S3
• Clients must decrypt data themselves when retrieving from AmazonS 3
• Customer fully manages the keys and encryption cycle

Amazon S3 - Encryption in transit (SSL/TLS)

• Encryption in flight is also called SSL/TLS
• Amazon S3 exposes two endpoints:HTTP Endpoint - non encryptedHTTPS Endpoint - encryption inflight
• HTTPS is recommended
• HTTPS is mandatory for SSE-C
• Most clients would use the HTTPS endpoint by default

S3 Default Encryption

Amazon S3 - Default Encryption vs. Bucket Policies

• One way to "force encryption" is to use a bucket policy and refuse any API call to PUT an S3 object without encryption headers

• Another way is to use the "default encryption" option in S3
• Note: Bucket Policies are evaluated before "default encryption"

S3 CORS

What is CORS?

• Cross-Origin Resource Sharing (CORS)
• Origin = scheme (protocol) + host (domain) + portexample: https://www.example.com (implied port is 443 for HTTPS, 80 for HTTP)
• Web Browser based mechanism to allow requests to other origins while visiting the main origin
• Same origin: http://example.com/app1 & http://example.com/app2
• Different origins: http://www.example.com & http://other.example.com
• The requests won't be fulfilled unless the other origin allows for the requests, using CORS Headers (example: Access-Control-Allow-Origin)

Amazon S3 - CORS

• If a client makes a cross-origin request on our S3 bucket, we need to enable the correct CORS headers
• It's a popular exam question
• You can allow for a specific origin or for * (all origins)

S3 MFA Delete

Amazon S3 - MFA Delete

• MFA (Multi-Factor Authentication) - force users to generate a code on a device (usually a mobile phone or hardware) before doing important
• MFA will be required to:Permanently delete an object versionSuspend Versioning on the bucket
• MFA won't be required to:Enable VersioningList deleted versions
• To use MFA Delete, Versioning must be enabled on the bucket
• Only the bucket owner (root account) can enable/disable MFA Delete

S3 Access Logs

S3 Access Logs

• For audit purpose, you may want to log all access to S3 buckets
• Any request made to S3, from any account, authorized or denied, will be logged into another S3 bucket
• That data can be analyzed using data analysis tools...
• The target logging bucket must be in the same AWS region
• The logformat is at: https://docs.aws.amazon.com/AmazonS3/latest/dev/LogFormat.html

S3 Access Logs: Warning

• Do not set your logging bucket to be the monitored bucket
• It will create a logging loop, and your bucket will grow exponentially

S3 Pre-signed URLs

Amazon S3 - Pre-Signed URLs

• Generate pre-signed URLs using the S3 Console, AWS CLI or SDK
• URL ExpirationS3 Console - 1 min up to 720 mins (12 hours)AWS CLI - configure expiration with --expires-in parameter in seconds (default 3600 secs, max. 604800 secs ~ 168 hours)
• Users given a pre-signed URL inherit the permissions of the user that generated the URL for GET/PUT
• Examples:Allow only logged-in users to download a premium video from your S3 bucketAllow an ever-changing list of users to download files by generating URLs dynamicallyAllow temporarily a user to upload afe to a precise location in your S3 bucket

Glacier Vault Lock & S3 Object Lock

S3 Glacier Vault Lock

• Adopt a WORM (Write Once Read Many) model
• Create a Vault Lock Policy
• Lock the policy for future edits (can no longer be changed or deleted)
• Helpful for compliance and data retention

S3 Object Lock (versioning must be enabled)

• Adopt a WORM (Write Once Read Many) model
• Block an object version deletion for a specified amount of time
• Retention mode - Compliance:Object versions can't be overwritten or deleted by any user, including the root user Objects retention modes can't be changed, and retention periods can't be shortened
• Retention mode - Governance:Most users can't overwrite or delete an object version or alter its lock settingsSome users have special permissions to change the retention or delete the object
• Retention Period: protect the object for a fixed period, it can be extended
• Legal Hold:protect the object indefinitely, independent from retention periodcan be freely placed and removed using the s3:PutObjectLegalHold IAM permission

S3 Access Points & Object Lambda

S3 - Access Points

• Each Access Point gets its own DNS and policy to limit who can access it A specific IAM user/groupOne policy per Access Point => Easier to manage than complex bucket policies

S3 Object Lambda

• Use AWS Lambda Functions to change the object before it is retrieved by the caller application
• Only one S3 bucket is needed, on top of which we create S3 Access Point and S3 Object Lambda Access Points.
• Use Cases:Redacting personally identifiable information for analytics or non-production environments.Converting across data formats, such as converting XML to JSON.Resizing and watermarking images on the fly using caller-specific details, such as the user who requested the object.