Object Ownership, Other Security Features Added to Amazon S3
Amazon Web Services (AWS) recently introduced three new security features to its Simple Storage Service (S3), giving users more control over who can access which S3 buckets in their organization.
Misconfigured Amazon S3 buckets have been at the root of many high-profile data security blunders over the last few years. Besides explicitly warning users to make sure their S3 buckets are properly configured (i.e., not wide-open to the public), AWS has also rolled out several security tools for the service, including the machine learning-powered Macie.
This month, AWS added three more. In a blog post, AWS evangelist Jeff Barr described the features as "Object Ownership," "Bucket Owner Condition" and "Copy API via Access Points." All three are free to use and are designed to give organizations "new ways to regulate access to their mission-critical buckets and objects," Barr said.
The Object Ownership feature ensures that the most recent objects uploaded to an S3 bucket have the same owner as the bucket itself. Previously, it was not a given that the owner of a particular S3 bucket also had control over all of the bucket's objects, which Barr noted "can lead to confusion." Organizations typically ran a Lambda function to get around this issue, he said, though the Object Ownership feature now simplifies the process.
"You can now use a new per-bucket setting to enforce uniform object ownership within a bucket," Barr said. "This will simplify many applications, and will obviate the need for the Lambda-powered self-COPY that has become a popular way to do this up until now."
The Bucket Owner Condition capability, described in greater detail here, lets users confirm that they own an S3 bucket before they make any changes to it. Users can run their Amazon account ID through an API to see if there's a match with the bucket. If there is a match, they can proceed with their request; if not, they'll get a 403 status error.
Finally, the Copy API via Access Points feature gives users a simpler way to assign access to an S3 bucket. "Instead of managing a single and possibly complex policy on a bucket, you can create an access point for each application, and then use an IAM policy to regulate the S3 operations that are made via the access point," Barr said.