Hello Reader,

In today’s post, let’s look at another correct but average answer and a great answer that gets you hired to common cloud interview questions. This question is critical because everyone uses this service in almost every project!

Question - How will you secure your S3 bucket?

Common but average answer

• I will use KMS so bucket objects are not unencrypted
• I will use Bucket Policy and IAm roles for least privilege to secure my bucket

What the interviewer is looking for is you understand different attack vectors and how to mitigate them. And there is one wrong statement in the above answer which I will explain. As an SA, you will be responsible for talking to the app team and coming up with an appropriate security strategy. We are looking to delight the interviewer and not meet.

A great answer is :

• There are multiple ways a S3 bucket can be compromised, let's go one by one
• Bad actors can access your bucket objects anonymously from internet. To stop that enable "Block Public Access" on the bucket
• Even after public access is blocked, any authenticated AWS user can access my bucket. We don't want that in production. To prevent that, enforce bucket policies that allows only specific AWS service to access the bucket
• From the other side, AWS Service need to have appropriate IAM role attached so they can access this bucket. It is important that the IAM role has least privilege access. Often , an IAM role has access to all S3 buckets. Ensure to use specific bucket name instead of "s3:*"
• Most of the times application codes run inside a VPC in EC2 or Lambda. S3 bucket can NOT be brought inside VPC. To prevent traffic going through internet, use VPC Endpoint which enable traffic from the application code to the S3 bucket traverse through AWS private network and not via internet
• This is a newer feature - after multiple security incidents, you can't have objects inside bucket unencrypted anymore. By default objects are encrypted using Server Side Encryption with S3 managed keys. You can switch to AWS Managed KMS, or Customer Managed KMS or newly released Dual Side KMS (cost more!). Hence never say that by default bucket objects are unencrypted. You can also do client side encryption before uploading the objects
• Enforce encryption in transit by stopping insecure (HTTP) traffic inside bucket policy
• Finally, it is possible that some security even happens. For that reason, always monitor and audit. Utilize CloudWatch and CloudTrail (this part everyone says). For production buckets also use AWS Config which can detect if configurations deviate from the established ones, notify groups, and fire a Lambda to auto remediate!

This approach of securing multiple attack vector is known as Defense in Depth. As in the attacker has to go through multiple layers to reach customer information in the S3 bucket. If you can mention first 4-5 points from the above, you'd delight the interviewer and set yourself apart from others.

💡 Other things to keep in mind

• You can use S3 object lock to prevent accidental delete
• Use Object versioning to retrieve deleted or manipulated objects
• Avoid use simple bucket names

If you get this question in your interview, make sure to knock it out of the park!

P.S - If you want to get personally mentored by me and crack top tech jobs in AWS, Microsoft, Google, JPMC, reddit, CoreWeave etc., check out AWS SA Bootcamp with Live Classes, Mock Interviews, Hands-On, Resume Improvement and more: https://www.sabootcamp.com/​

Keep learning and keep rocking 🚀,

Raj