AWS S3 Bucket Setup and Security Best Practices

Amazon Simple Storage Service (S3) is one of AWS's most widely adopted object storage services. With 99.999999999% (eleven 9s) data durability and 99.99% availability, it has become the go-to solution for enterprise data storage. However, S3's default configuration is not optimized for security out of the box—misconfigured permissions can lead to devastating data breaches. This article systematically covers the S3 bucket configuration process and security best practices.

1. Creating an S3 Bucket

1.1 Basic Configuration

Log in to the AWS Management Console, navigate to the S3 service, and click "Create bucket." Key configuration items include:

• Bucket name: Globally unique, 3-63 characters, lowercase letters, numbers, and hyphens only
• Region selection: Choose the region closest to your users to minimize latency. For Asia-Pacific users, consider ap-northeast-1 (Tokyo) or ap-southeast-1 (Singapore)

1.2 Storage Class Comparison

| Feature | S3 Standard | S3 Intelligent-Tiering | S3 Standard-IA | S3 One Zone-IA | S3 Glacier | |---------|-------------|----------------------|-----------------|-----------------|------------| | Min Storage Duration | None | None | 30 days | 30 days | 90 days | | Retrieval Fee | None | None | $0.01/GB | $0.01/GB | $0.02-0.10/GB | | Storage Price (first 50TB/mo) | $0.023/GB | $0.023/GB | $0.0125/GB | $0.01/GB | $0.004/GB | | Availability Zones | ≥3 | ≥3 | ≥3 | 1 | ≥3 | | Use Case | Frequent access | Unknown patterns | Infrequent access | Reconstructable data | Archival |

2. Security Configuration Best Practices

2.1 Block Public Access (Critical!)

This is the single most important security setting. AWS has enabled "Block all public access" by default since 2018, but older buckets may not have this enabled.

Strongly recommended: Enable all four block settings at both the bucket level and account level:

1. Block all public access — Enable
2. Block public access granted through new access control lists (ACLs) — Enable
3. Block public access granted through any access control lists (ACLs) — Enable
4. Block public access granted through new public bucket policies — Enable

2.2 Bucket Policy Configuration

Bucket policies are the most flexible permission control mechanism in S3. Here are practical policy examples:

Allow access only from a specific VPC endpoint:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": [
      "arn:aws:s3:::my-bucket",
      "arn:aws:s3:::my-bucket/*"
    ],
    "Condition": {
      "StringNotEquals": {
        "aws:SourceVpce": "vpce-1a2b3c4d"
      }
    }
  }]
}

Enforce SSL/TLS for all requests:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::my-bucket/*",
    "Condition": {
      "Bool": {
        "aws:SecureTransport": "false"
      }
    }
  }]
}

2.3 Encryption Settings

| Encryption Type | Method | Use Case | Cost | |---------------|--------|----------|------| | SSE-S3 | AWS-managed keys | General purpose | Free | | SSE-KMS | KMS customer-managed keys | High compliance requirements | $1/key/mo + $0.03/10K requests | | SSE-C | Customer-provided keys | Full key control | Free | | Client-side | Application-layer encryption | Maximum security | Free |

Recommendation: Use SSE-KMS encryption by default with annual key rotation.

2.4 Versioning and Object Lock

• Versioning: Enable for all production buckets. Recover from accidental deletion or overwriting
• Object Lock: Enable WORM (Write Once Read Many) mode to meet compliance requirements like SEC 17a-4
• MFA Delete: Enable MFA delete protection for critical buckets to prevent unauthorized deletion

3. Monitoring and Auditing

3.1 CloudTrail Logging

Enable CloudTrail to log all S3 API calls. Recommended additional configurations:

• Send CloudTrail logs to a dedicated S3 bucket
• Enable log file validation
• Configure SNS notifications for real-time alerts

3.2 CloudWatch Metrics and Alarms

Key monitoring metrics:

| Metric | Alarm Threshold | Description | |--------|----------------|-------------| | BucketSizeBytes | Sustained growth >30 days | Abnormal data expansion | | 4xxErrorRate | >5% | Potential attack or misconfiguration | | GetRequest | Sudden 10x spike | Possible DDoS or web scraping | | ReplicationLatency | >15 minutes | Cross-region replication lag |

3.3 AWS Config Rules

Enable these managed rules for continuous compliance monitoring:

• s3-bucket-public-read-prohibited: Prevent public read access
• s3-bucket-server-side-encryption-enabled: Enforce encryption
• s3-bucket-versioning-enabled: Enforce versioning

4. Cost Optimization Tips

1. Lifecycle policies: Automatically transition objects not accessed for 90 days to S3-IA, and 180 days to Glacier
2. S3 Intelligent-Tiering: For data with unpredictable access patterns—automatically optimizes storage tiers
3. Request cost optimization: Consolidate small files to reduce PUT/GET request counts
4. Data transfer optimization: Use S3 Transfer Acceleration for faster cross-region uploads, starting at $0.04/GB

5. Cross-Cloud Storage Comparison

| Feature | AWS S3 | Alibaba Cloud OSS | Tencent Cloud COS | GCP Cloud Storage | |---------|-------|-----|-----|-----| | Data Durability | 99.999999999% | 99.9999999999% | 99.999999999% | 99.999999999% | | Standard Storage Starting Price | $0.023/GB | ¥0.12/GB | ¥0.099/GB | $0.020/GB | | Cross-Region Replication | Yes | Yes | Yes | Yes | | WORM Compliance | Object Lock | Compliance Retention | Compliance Retention | Object Lock | | Intelligent Tiering | Yes | Yes | No | Yes |

Conclusion

Securing AWS S3 requires a systematic approach across four dimensions: blocking public access, bucket policies, encryption, and monitoring. Follow the principle of least privilege, regularly audit permissions, and leverage AWS Config and CloudTrail for continuous compliance monitoring.

As a multi-cloud service partner, Duoyun Cloud offers AWS authorized accounts with exclusive discounts—up to 15% off S3 storage fees—along with Chinese-language technical support. Visit duoyun.io to learn more.

---

This article was written by the Duoyun Cloud technical team. For AWS cloud migration consulting, please contact our solutions architects.