S3 stores data at scale. Misconfigured buckets are a common source of data breaches. Proper access controls, encryption, and monitoring are critical to prevent exposure.
AWS S3 Bucket Policies should deny public access to S3 data. This should be part of a standard bucket policy applied to all buckets within your organisation
AWS S3 Bucket Website Endpoints have been superseded by better architectural patterns bringing greater control and data protection
AWS S3 Buckets with neither the full set of Public Access Blocks nor a Bucket Policy that prevents public access should consider their hosted data publicly accessible
AWS S3 Buckets without a Bucket Policy are prone to insecure behaviour that does not meet modern security standards
Invalid AWS S3 Bucket Policies require replacement to a functioning policy to ensure that they provide provable security protection
AWS S3 offers Public Access Blocks to over-ride bucket changes that leak data. Implementing all Public Access Blocks should be a standard policy for all buckets
AWS S3 Bucket names can include the account ID for easier cross-account management and introducing name entropy via a manageable naming convention
AWS S3 Buckets should enforce the transfer of ownership for objects upon upload.
AWS S3 Buckets allow for unencrypted uploads which need to be blocked via Bucket Policy
