Securing Your S3 Bucket from A to Z

1.25 hours
  • 5 Learning Objectives

About this Hands-on Lab

In this hands-on lab, we implement S3 bucket policies and IAM policies to learn about the various ways to secure our S3 buckets and the data within them. We also examine which services we can leverage to audit and remediate security issues.

Here is the [GitHub link]( to copy the S3 bucket policy mentioned in this lab.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Update the IAM Policy

Update the IAM policy to include our partyparrots-<STRING> bucket name and the public IP address provided for the lab.

Attach the IAM and S3 Bucket Policies

Attach the IAM policy to our Architects and Developers groups and create user folders for bob and john. Then, add an S3 bucket policy from the provided GitHub repository.

Test and Verify the IAM and S3 Bucket Policies

Verify the IAM and S3 policy permissions are configured correctly, update the IAM policy to include the DeleteObject permission, and test server-side encryption.

Enable Block Public Access in the S3 Bucket

Update the Block Public Access settings for the S3 bucket.

Configure CloudTrail and CloudWatch for SNS Event Notifications

Create a CloudTrail trail to log read and write events, configure SNS notifications and subscribe to receive email alerts, and set a CloudWatch rule to trigger email alerts on deletion events.

Additional Resources

Reminder: Make sure you're in the N. Virginia (us-east-1) region throughout the lab.

You work for the company Party Parrots Ltd. as a Cloud Engineer. Since you're an expert in making data in the cloud more secure, your manager has tasked you with securing an S3 bucket in preparation for a project that is starting soon.

A team of Party Parrots developers and architects need access to the S3 bucket and to their individual folders in the S3 bucket. Ensure these users have permissions enabled to access what they need. For your convenience, the appropriate IAM groups and users are already provisioned in the test AWS account.

In addition to this, you need to ensure that:

  • Absolutely no public read or write access to the bucket is allowed.
  • No user from one group can read or write data to or from another user's folder.
  • Access to the bucket is only allowed through an approved corporate-source IP.
  • Bucket activity, like API requests, is logged.
  • Any object write or modify action is reported.

The manager also asked if it's possible to restrict access to all buckets for all users for annual progress reports. This can be for any one week in the current month (i.e. from Monday to Friday).

We provided a VM and preconfigured it with two AWS CLI profiles: developers and architects. These correspond to the user groups created for you in the lab environment. Use these to test and verify your IAM and S3 bucket policies in the lab.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?