Protect data in the cloud with S3 Access Points and S3 Endpoints

Everyone loves the flexibility and capability of S3 but wants to make sure they can control access to data and stay out of the news.  Lets talk S3 Access Points and S3 VPC Endpoints to protect your data and simplify your access control policies.  We're talking about these services:
We're going to walk through the components of this picture. It has the side benefit of acting as a pretty default image on the blog splash page ;-)

S3 landscape

Amazon AWS S3 was an internet first design that makes it easy to store and access large amounts of data inside and outside of the enterprise. We want to secure this data, simplify access control management and reduce the cognitive load while maintaining a high level of security and auditability.

S3 buckets have a single global namespace and use the public network for routing. An AWS S3 bucket's owning account is not obvious from the the bucket name or the resource arn.
Data in S3 buckets has been traditionally protected by a combination of Bucket (resource)  policies and IAM policies. They do the same thing but come from the opposite direction

  • S3 Bucket policies define which operations are allowed on which resources by which roles.  
  • IAM policies are tied to users and roles and define which operations are allowed on which roles.   

Shortcomings in traditional approach

Bucket and IAM policies can get very large and complicated as more entities want access to data with for different operations.  In addition, AWS policies have technical size limits that that are easily exceeded in large organizations.  Bucket policies and IAM policies interact with each other and can be hard for humans to analyze.  Organizations often use only one or the other in order to avoid unexpected behavior.

S3 Access Points

S3 access points can be used to segregate different data consumer or producer types.

Amazon S3 Access Points let us break up a buckets policies by creating virtual bucket addresses that can overlay all or portions of a specific S3 bucket. Each access point proxies for a single S3 bucket/pattern and can only be used for S3 object operations. The Access point ARNs include the region account which are implicit for normal S3 bucket ARNs.  

Each access point has its own resource authorization policies. This makes it possible to provide consumer specific endpoints with more easily audit-able configurations.

S3 VPC Endpoints

VPC Endpoints are often used to keep data off the internet and to support data ex-filtration protection. This diagram shows a bucket where all data goes across the private network and all access is restricted to a single VPC.


S3 VPC Interface Endpoints provide in-VPC endpoints that let you connect to AWS S3 buckets or access points over AWS private link. Data transiting through VPC endpoints travel on the AWS internal private network instead of the public internet. 

S3 Buckets polices can restrict bucket access a specific set of VPC endpoints or VPCs. S3 VPC endpoints policies that can restrict the the operations, S3:PutObject, S3:GetObject, etc, to specific users, groups or roles.

All VPC endpoints other than DynamoDB and S3 are Interface endpoints at the time this was written. S3 Endpoints are currently Gateway Endpoints. AWS users should use Interface Endpoints when they become available.  

Example: Cross entity data sharing

Two different organization share data via an S3 bucket.  They want all data to stay on the AWS internal network.

The bucket owner
  • They want to restrict access to only the partner organization.  
  • They want to provide an explicit endpoint for the partner organization with a specific DNS name. 
  • They want to restrict bucket access to be only a single location in the partner organization
  • They will restrict the operations on that location
The remote bucket user
  • The other org reaches into the bucket to either putObject or getObject.  
  • They want to restrict their programs to a specific bucket / Access Point. 
  • The want to restrict access on their side to a specific VPC.
  • The want to restrict allowed operations
The red line represents the organization ownership boundary.
Policy Summary
  1. S3 bucket limits operations to only the S3 access point
  2. S3 Access Point limits access to the specific VPC Endpoint IDs
  3. S3 Access Point limits the operations
  4. VPC Endpoints are configured to point at the S3 Access Points
  5. VPC Endpoint limit access to only their VPC

Video

History

Created 4/2020

Comments

Popular Posts