|
S3Express: Amazon S3 Command Line Utility Amazon S3 command line utility for Windows. Copy, query, backup multiple files to S3 using the Windows command line.  |
S3Express FAQ and Knowledge Base |
| Main Page > Browse Categories > Security Considerations > Show All |
Security Considerations |
| Connection security (HTTPs) |
During file listings, file uploads and file queries, files are transferred between the computer where S3Express is running and the Amazon S3 servers, so it's very important that the communication channel between the two is secure.
To achieve this level of security, S3Express automatically uses the HTTPs protocol (HTTPs = Hypertext Transfer Protocol Secure) to connect and communicate to the Amazon S3 servers. No special settings are needed: it is used by default.
The HTTPs protocol encrypts all the data flow between the client (the computer where S3Express is running) and the server (the Amazon S3 servers). This is the same protocol that is generally used to communicate to a bank site when using a web browser.
The HTTPs protocol protects against eavesdropping and tampering with and/or forging the contents of the communication. It provides a guarantee that one is communicating with precisely the Amazon S3 servers as well as ensuring that the contents of the communications between S3Express and the Amazon S3 servers (file transfers, file listings, etc.) cannot be read or forged by any third party.
HTTP can optionally be used instead of the default HTTPs. You can enable HTTP instead of HTTPs with the setopt command.
| Enforcing 'private access only' for all objects in a bucket |
When uploading files to a S3 bucket for backup purposes, it's important to make all uploaded objects private, that is, make all objects accessible only by the owner and not by the public. This is already done by default in S3Express, unless otherwise specified. However, to avoid mistakes, this requirement can also be explicitly enforced by using a bucket policy similar to the following one:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PrivateAclPolicy", "Effect": "Deny",
"Principal": { "AWS": "*"},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::bucket_name/*"
],
"Condition": {
"StringNotEquals": {
"s3:x-amz-acl": [
"private"
]
}
}
}
]
}
Replace bucket_name with the name of your bucket.
This policy will only allow objects to be uploaded to the bucket if the ACL is explicitly set to "private", otherwise access will be denied. Also this policy makes sure that the ACL cannot be changed from private.
The following is an example of uploads explicitly made private in S3Express:
put c:\folder\ bucket_name -s -cacl:private
-cacl:private explicitly makes all uploaded objects private. This is the default (if -cacl is not specified), but the bucket policy above now requires it to be explicitly specified or access will be denied.
To set a bucket policy you can use the Amazon S3 Console.
To verify and to make sure that all the already existing objects in a bucket are correctly set to private, see: www.s3express.com/kb/item24.htm
| Enforcing server-side encryption for all uploads to a bucket |
Amazon S3 supports bucket policy that you can use if you require server-side encryption for all objects that are stored in your bucket. For example, the following bucket policy denies upload object (s3:PutObject) permission to everyone if the request does not include the x-amz-server-side-encryption header requesting server-side encryption.
{
"Version":"2012-10-17",
"Id":"PutObjPolicy",
"Statement":[{
"Sid":"DenyUnEncryptedObjectUploads",
"Effect":"Deny",
"Principal":{
"AWS":"*"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::YourBucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-server-side-encryption":"AES256"
}
}
}
]
}
In S3Express, the x-amz-server-side-encryption header is added by using the -e flag of the PUT command.
| How to make a backup to S3 more secure using encryption |
File encryption can optionally be used to make a backup to S3 more secure.
S3Express already automatically encrypts files as they are in-transit from and to the Amazon S3 servers, however files can also be stored on the Amazon S3 servers encrypted (i.e. at rest).
S3Express provides two types of encryption: server-side encryption and client-side encryption.
Server-Side encryption is about data encryption at rest, that is, Amazon S3 encrypts your data as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. Amazon S3 manages encryption and decryption for you. For example, if you share your objects using a pre-signed URL, the pre-signed URL works the same way for both encrypted and unencrypted objects.
Amazon S3 Server Side Encryption employs strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 Server Side Encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
When you upload one or more objects with S3Express, you can explicitly specify in your request if you want Amazon S3 to save your object data encrypted. To specify that you want Amazon S3 to save your object data encrypted use the flag -e of the S3Express command PUT. Server-side encryption is optional. Your bucket might contain both encrypted and unencrypted objects.
With Client-Side encryption, you add an extra layer of security by encrypting data locally before uploading the files to Amazon S3. Client-side encryption and server-side encryption can be combined and used together. In S3Express, client-side encryption is provided by AesCrypt.exe, see the -le flag of the PUT command.
| Restricting access to a S3 bucket to specific IP addresses |
To make our uploads or backup on Amazon S3 even more secure, we can restrict access to a S3 bucket to specific IP addresses.
The following bucket policy grants permissions to any user to perform any S3 action on objects in the specified bucket. However, the request must originate from the range of IP addresses specified in the condition. The condition in this statement identifies 192.168.143.* range of allowed IP addresses with one exception, 192.168.143.188.
{
"Version": "2012-10-17",
"Id": "S3PolicyIPRestrict",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition" : {
"IpAddress" : {
"aws:SourceIp": "192.168.143.0/24"
},
"NotIpAddress" : {
"aws:SourceIp": "192.168.143.188/32"
}
}
}
]
}
The IPAddress and NotIpAddress values specified in the condition uses CIDR notation described in RFC 2632. For more information, go to www.rfc-editor.org/rfc/rfc4632.txt