Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


Improve data protection by securing S3 buckets

Feb 12, 2023

Many companies are using cloud environments, such as Amazon Web Services (AWS), for their infrastructure needs. Luckily, AWS provides powerful security control options to help businesses with securing S3 buckets — you just have to enable them.

Security breaches such as unauthorized access or inappropriately configured S3 buckets happen because businesses aren’t taking the proper security measures. By taking a layered approach to security and aligning your controls with existing security frameworks, you can improve data protection.

Here are security best practices that you can implement related to securing infrastructure in the cloud, and specifically S3:

Align your controls to security frameworks

If you’re uncertain about which AWS S3 security controls to enable, looking at security frameworks can help you decide where to start.

Frameworks like the AICPA SOC2 Trust Services Criteria can help to guide technology teams as they look to secure the cloud environment. Aligning controls with the criteria helps your organization ensure it is optimizing security measures. It also reduces stress when it may come time to complete a third-party audit.

For example, the SOC 2 criteria requires organizations to have measures in place to protect data from outside threats. The criteria states, “the entity implements logical access security measures to protect against threats from sources outside its system boundaries.”

AWS has enabled certain inherent security measures when creating S3 buckets so that, by default, the buckets and objects are configured to be private. One helpful tip is training your infrastructure team to create S3 Buckets using AWS Config. By using this practice, the bucket will be created with the S3 bucket and objects as private automatically

Use a layered approach

Oftentimes, businesses take a reactionary stance to security. Instead, it’s better to take a layered security approach, ensuring both preventative and detective controls are in place.

Preventative controls are measures you put in place to be proactive about security. Detective controls are the mechanisms you put in place to identify when suspicious activity has occurred, or when unauthorized access has already happened, allowing you to take quick action.

The best way to apply controls is to first conduct a risk assessment. This will help you identify the most critical areas to focus on.

Here are some options for preventative and detective controls you can enable within the AWS cloud environment to help protect data held in S3 buckets:

Preventative controls

AWS provides encryption options for data both in transit and at rest. There are multiple options related to key management, and the security of those encryption keys, to prevent unwanted access to sensitive information.

It is also important to practice good hygiene as it relates to identity and access management.

Too often, businesses aren’t being careful when granting access to external users, such as clients. This can lead to mistakes, making data available to unwanted sources.

Within the AWS environment, there are multiple ways to configure access to users, objects and services. There are also multiple reports and tools available to analyze access within the environment.

Reviewing access to key data stores, including S3, is an important preventative measure. Remember to grant read-only access in all cases, where possible. And access to update or deleted information should be restricted to only needed scenarios.

You can further increase your level of data security by carefully examining where data should be written to or accessed from, and how you grant permissions.

Your business should also periodically review your access controls. Keep your list updated so that it properly reflects the staff, clients or other users who might need access. Document access changes, review for appropriateness and empower technology teams to always ask if the change is really needed

Detective controls

One powerful option for detective controls is automated alerting.

With automated alerts, you can configure AWS resources to inform your team when suspicious behavior, such as high-risk activities like changes to configurations or access controls, occurs.

From there, you can also determine an automated action that will take place if a specific behavior has occurred.

For example, if an S3 bucket configuration change is made and the bucket is made public, the team can configure resources like Lambda to automatically change the configuration back to private and send alerts related to the situation.

It’s a more efficient and accurate alternative to manually checking security logs. And since automated alerts provide real-time updates, your organization can act quickly and limit potential damages.

How Wipfli can help

At Wipfli, our team is here to help you with all areas of data protection. We not only support you through your security assessment, but we also provide our knowledge and experience to help you improve your controls. Contact us today for more ways we can help improve security measures in your business.

Sign up to receive more information, or continue reading:


Mary Beth Marchione, CPA, CISA, CISSP
View Profile