# Introduction to Amazon S3 Security

## Shared responsibility model

Security is a shared responsibility between you and AWS. This shared model shifts the operational burden from you to AWS. AWS then operates and manages all the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. 

You, as the customer, assume responsibility and management of the guest operating system (including updates and security patches) and other associated application software, including the AWS provided security group firewall.

### This differentiation of responsibility is commonly referred to as security “of” the cloud versus security “in” the cloud.

![image.png](attachment:image.png)

## Security in the cloud

The types of services your company uses determines the amount of configuration work performed as part of your security responsibilities. For example, a service such as Amazon Elastic Compute Cloud (Amazon EC2) requires you to perform all necessary security configuration and management tasks. You are responsible for the management of the guest operating system (including updates and security patches). Your responsibility includes the management of any application software or utilities installed on the instances, in addition to the configuration of the AWS provided firewall (called a security group) on each instance. 

For abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and platforms. You are responsible for managing your data (including encryption), classifying your assets, and using IAM tools to apply and secure principals and their permissions.

The following graphic illustrates the boundaries between your responsibilities and the responsibilities of AWS. It's important to understand that, depending on the type of service deployed, the boundary between your security and maintenance requirements and what AWS is responsible for can fluctuate. It's critical to understand what you have deployed and where the boundaries are for each of your services. 

![image-2.png](attachment:image-2.png)

## Security of the cloud

AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS cloud services. Depending on the services you choose to deploy in AWS, the shared responsibility model changes for you and for AWS. Ensure that you understand your responsibilities based on your deployed services.

The following graphic illustrates the shared responsibility model for Amazon Elastic Container Services (Amazon ECS) with Fargate. Although Fargate is not covered in this course, this graphic illustrates how different AWS services can drastically divide the shared responsibility model. It is important to know how the services you use share the responsibility model.

![image-3.png](attachment:image-3.png)

## Security and Amazon S3

By default, all Amazon S3 resources are private and accessible only to the resource owner and account administrator. To allow access to buckets and objects in Amazon S3, you can use a combination of access management features.

Amazon S3 offers a variety of security features to protect, secure, and manage access to your data. To learn more, choose the plus symbol (+) next to each feature.

- Block Public Access

Block Public Access overrides other S3 access permissions to easily enforce a no-public-access policy. Using S3 Block Public Access, account administrators and bucket owners can easily set up centralized controls to limit public access to their Amazon S3 resources that are enforced regardless of how the resources are created. This feature is enabled by default.

- AWS Identity and Access Management (IAM)

Amazon S3 offers both resource-based and user-based access policies. Access policies are a set of permissions that are attached to your resources (buckets) or to your users. By using policies, you can manage access to resources.



A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy. To grant other AWS accounts or IAM users access permissions to the bucket and the objects in it, add a bucket policy to a bucket.

- Access points

Access Points simplify managing data access at scale for applications that use shared data sets on Amazon S3.  Access points are named network endpoints that are attached to buckets and are used to perform Amazon S3 object operations, such as GetObject and PutObject. Each access point has distinct permissions and network controls that S3 applies for any request that is made through that access point.

- Presigned URLs

With Query String Authentication (presigned URLs), you can grant time-limited access to objects with temporary URLs. You can use a presigned URL to share objects or allow your customers/users to upload objects to buckets without AWS security credentials or permissions.

- Encryption

Encryption ensures that your in-transit or at-rest data cannot be opened or read by unintended recipients in the event that the data is intercepted or accessed by unauthorized users.

- VPC endpoints

A VPC endpoint is a logical entity within a VPC that allows connectivity to AWS services such as Amazon S3. The VPC endpoint routes requests across the Amazon network to S3 and then routes responses back to the VPC. Because the traffic stays on the Amazon network, the endpoint allows you to privately connect to supported AWS services without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.