S3 Security Infographic

Amazon S3 Security Architecture

Mastering the trifecta of data protection: Bucket Policies, Access Points, and Object Lock (WORM).

Bucket Policies

Resource-based JSON policies that define WHO can access WHAT actions on your bucket.

  • Cross-account access
  • Enforce HTTPS-only connections
  • Restrict to specific VPC Endpoints

Access Points

Unique hostnames that simplify data access for shared datasets at scale.

  • Decoupled policy management
  • Specific prefix-level isolation
  • VPC-only network routing

Object Lock (WORM)

Ensures objects cannot be deleted or overwritten for a fixed amount of time.

  • Write Once, Read Many
  • Compliance vs Governance modes
  • Legal Hold protection

The Security Evaluation Journey

How S3 processes an incoming request through the security layers.

IAM Principal Access Point Bucket Policy Object Lock
Step 1: Access Point

The request hits the specific Access Point. If the AP policy denies it, the request is blocked immediately.

Step 2: Bucket Policy

S3 evaluates the global Bucket Policy. Any explicit ‘Deny’ here overrides any ‘Allow’ elsewhere.

Step 3: Object Lock

If the action is ‘Delete’, S3 checks if the object is under a retention period or legal hold.

Quick Reference

Combining these three layers creates a “Defense in Depth” strategy for sensitive cloud data.

Compliance Mode

Even the Root user cannot delete the object. Use for strict regulatory requirements.

Governance Mode

Users with special IAM permissions can bypass retention settings or delete objects.

Multi-Region APs

Route traffic to the closest bucket automatically using a single global endpoint.

© 2023 Cloud Security Education — AWS S3 Architecture Series

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top