Very simply put, it is a service offered by AWS that can be used as storage (called buckets) for different types of files.
So what does it mean to secure AWS S3?
It could mean n number of things. One of the things is to ensure that the buckets & it's contents (objects) are access controlled & we'll focus on this aspect.
(Others could include things like ensuring that the bucket & it's contents are protected against data loss, s3 objects are encrypted at rest, there's logging enabled for the buckets etc. We would not talk about these or any others in this case. Also, AWS by default has options to ensure public access around S3 is taken care of , like disabling public access at the account level itself. We would not talk about this either, as may not always be feasible for every org/use case, like it wasn't in our case)
Key result: No open/public buckets/objects
We need a measurable key result to ensure that we have been able to achieve our objective. We define our key result as a measure of the number of AWS S3 buckets or any content/s within them that are publicly accessible. So ideally, if we could define zero number of open/public buckets/objects as our criteria to say that we have achieved our objective, nothing like it.
But of course there could be reasons for certain buckets or objects (contents of a bucket) to be publicly accessible, depending on the business context, which always is/should be the highest priority. Hence our actual key result, to accommodate for the above, becomes:
- No open/public buckets/objects,
- at least not without prior approval from the security team or the information of the security team.
Plan
Below would be our plan to reach our key result/s & finally achieve our objective too.
- Audit & ensure that the existing open buckets/objects fixed/accounted for
- Ensure that any new buckets/objects being created are secure
- Ensure that the security team is made aware of any insecure buckets/objects existence/creation (if at all) as quickly as possible