stackoom
  简体   繁体   中英

Restrict AWS S3 bucket access, even from account owner

 原文  2019-11-14 01:40:29       amazon-web-services/ amazon-s3/ amazon-iam

Question

I want to restrict access to AWS S3 buckets only to the applications running code on them. All other users should not be able to view or access the bucket, even the AWS account owner.

From the solutions mentioned on amazon, the account owner has access to all the services.

One solution can be to encrypt the data in the buckets and the application code holds the logic to decrypt it. But I am looking for a better solution, if there is any.

Any solution appreciated!

1 answers

solution1
 1 ACCPTED  2019-11-14 03:27:05

With the exception of the root login, all content in Amazon S3 is private by default. No users can access it unless permissions are granted via IAM or a Bucket Policy.

So, the simple answer is to only grant access to the specific entities that should have access . This is made slightly more complicated where organizations wish to grant "administrator" access, with a policy that might grant access to all Amazon S3 buckets. This can be corrected by applying a Deny policy that overrides the Allow policy. For example, Admins might have Allow access to all S3 buckets, but a Deny policy might then remove their access to specific buckets.

Where super-sensitive information is kept in Amazon S3, a common practice is to put the sensitive data in an Amazon S3 bucket in a different AWS account . This way, even Admins and the root login cannot have access to the bucket. Only the root login of the other account can obtain access.

Another common practice is to protect the root login with Multi-Factor Authentication (MFA) , such as a physical device , then lock that physical device in a safe. Or, split the password into two halves, with different people having each half. This prevents the root login from being used, but allows its use in critical situations.

Encrypting information in the app is good, but if the app is able to decrypt it, then somebody with access to the app source code can figure out how to decrypt it too. Even if encryption keys are kept in the AWS Secrets Manager, the root login would have access to those secrets.

Bottom line: Secure the root login using a physical MFA that is locked away, then use IAM policies to grant access as desired.

Also, be careful how access is granted to an application. If it is done via an IAM Role, then make sure that other people can't assume that role and get the same access themselves.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Restrict Access to S3 bucket on AWS AWS S3 and CloudFront Restrict Bucket Access Access s3 bucket from different aws account Access AWS S3 bucket from another account using roles How to access a public S3 bucket from another AWS account? Where does the owner *name* for an S3 bucket/AWS account come from? Access denied on AWS s3 bucket even with bucket and/or user policy How restrict public access to S3 Bucket in AWS SAM Template How to restrict access to an AWS S3 bucket only to a specific role? How to restrict all access to the AWS s3 bucket
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM