Data Protection: S3 Security, Encryption & Access Control
Difficulty: hard
Overview
S3 is the most common data store on AWS; securing it is a core SCS-C02 domain.
S3 Block Public Access (BPA):
- Four settings to block: public bucket policies, public ACLs, cross-account bucket policies, ACL-based public access
- Can be set at account level (overrides all buckets) or per-bucket
- BPA at account level OVERRIDES bucket policies that try to grant public access
S3 Object Lock (WORM — Write Once Read Many):
| Mode | Who can override | Use case |
|---|---|---|
| Governance | Privileged users with s3:BypassGovernanceRetention | Flexible compliance |
| Compliance | NO ONE (including root) | Strict regulations (SEC, FINRA) |
- Requires versioning enabled
- Retention period: days to years; or Legal Hold (no fixed expiration)
S3 Versioning & MFA Delete:
- Versioning: protects against accidental overwrites/deletes (creates delete markers)
- MFA Delete: requires MFA to permanently delete versions or change versioning state
- Only the root user can enable MFA Delete via CLI (not console)
S3 Glacier Vault Lock:
- Compliance controls for Glacier vaults (not S3 Glacier storage class via lifecycle)
- Once locked, vault lock policy is immutable — cannot be changed or deleted
- Distinct from S3 Object Lock
S3 Encryption:
| Type | Key management | KMS API call | Header |
|---|---|---|---|
| SSE-S3 | AWS (AES-256) | ❌ | x-amz-server-side-encryption: AES256 |
| SSE-KMS | KMS (CMK or AWS managed) | ✅ per object (unless Bucket Keys) | x-amz-server-side-encryption: aws:kms |
| DSSE-KMS | KMS (dual-layer) | ✅ | x-amz-server-side-encryption: aws:kms:dsse |
| SSE-C | Customer per request | ❌ | Must provide key in each request, HTTPS required |
S3 Policy Evaluation (same account):
- Explicit Deny wins always
- If identity policy OR resource policy grants access (and no explicit deny) → access granted
- Cross-account: BOTH identity policy and bucket policy must allow
S3 Access Points:
- Each access point has its own policy and can be restricted to a specific VPC
- Simplifies large bucket policy management for multiple teams/applications
- Access point ARN used instead of bucket ARN in application code
Pre-signed URLs:
- Generated using caller's credentials; expire after specified duration
- If generated with IAM role: URL valid max until role session expires (up to 12h from STS)
- If IAM user: up to 7 days
- If the signing role/user is deleted: URL immediately invalidates
Practice Linked Questions
Q1. S3 Block Public Access is enabled at the AWS account level. A developer creates a new S3 bucket and adds a bucket policy that allows public read access (s3:GetObject for Principal:*). What is the effective access to the bucket?
Select one answer before revealing.
Q2. A financial company must retain trade records in S3 for exactly 7 years. During this period, NO ONE — including AWS, account root, and security administrators — should be able to modify or delete the objects. Which feature achieves this?
Select one answer before revealing.
Q3. An S3 bucket has cross-region replication (CRR) enabled. Objects in the source bucket are encrypted with SSE-KMS using a Customer Managed Key in us-east-1. What is required for the replicated objects in the destination bucket (us-west-2)?
Select one answer before revealing.
Q4. A company generates S3 pre-signed URLs using an IAM role for time-limited object downloads. A pre-signed URL was generated with 12-hour validity. The IAM role is deleted 2 hours after URL generation. What happens to the URL?
Select one answer before revealing.
Q5. Which S3 data protection features help prevent data loss and support compliance requirements? (More than one answer may be correct — Select THREE.)
Select one answer before revealing.
Q6. A company stores customer PII in S3 encrypted with a Customer Managed KMS Key. They want to: (1) detect if any PII is accidentally put in unencrypted S3 buckets, and (2) alert when unauthorized decryption of the KMS key occurs. Which combination achieves BOTH goals?
Select one answer before revealing.
Q7. An organization runs a multi-account architecture with a centralized logging account. All 20 member accounts deliver CloudTrail logs to an S3 bucket in the logging account. The security team discovers that a member account administrator deleted CloudTrail logs from the S3 bucket 3 days ago. What proactive S3 control would have PREVENTED this deletion?
Select one answer before revealing.
Q8. A large data lake S3 bucket is shared by 5 teams, each accessing different prefixes. Managing a single complex bucket policy is becoming error-prone. Which S3 feature simplifies access management while maintaining prefix-level control per team?
Select one answer before revealing.
Q9. A company archives compliance documents in Amazon S3 Glacier. They need these archives to be IMMUTABLE — unmodifiable and undeletable — for 10 years, even by AWS. What should they use?
Select one answer before revealing.