Course description
With Amazon S3, you can use a number of different approaches when addressing data protection, including preventing buckets from being publicly accessible, implementing access controls, and encrypting data at rest and in transit. Amazon S3 makes it easy to protect your data from security incidents. In this course, you learn Amazon S3 security best practices to help improve your security posture and methods to prevent unwanted access to your data or comply with business and regulatory obligations.
• Course level: Advanced
• Duration: 100 minutes
Activities
This course includes interactive lessons, demonstrations, and knowledge checks.
Course objectives
In this course, you will learn to:
• Implement user and resource policies for resource access control
• Implement Amazon Virtual Private Cloud (VPC) endpoints to simplify access to Amazon S3 resources from within a VPC
• Implement Amazon S3 access points to manage access at scale
• Block public access to resources using the S3 Block Public Access feature
• Implement presigned URLs to share objects
• Control cross-origin resource sharing with CORS
• Use encryption to protect sensitive data
• Use Amazon Macie to protect data stored in Amazon S3
Intended audience
This course is intended for:
• Cloud architects
• Storage architects
• Developers
• Operations engineers
Prerequisites
We recommend that attendees of this course have:
• Completed Architecting on AWS or equivalent experience
• Completed AWS Storage Offerings
• Completed Getting Started with Amazon Simple Storage Service (Amazon S3)
Course outline
Section 1: Introduction
• Course introduction
• Course scenario
Section 2: Protecting data from unintended public access
• Amazon S3 Block Public Access
• How Amazon S3 Block Public Access works
• Block public access settings
• Demonstration: Configuring Amazon S3 Block Public Access using the AWS Management console and the AWS CLI
• Ways to prevent accidental public access
• Using Access Analyzer for S3
Section 3: Controlling access using access policies
• Introduction to access policies
• When to use IAM user policies
• Using bucket policies
• Access control lists
• Access policy elements
• Demonstration: Creating IAM policies to meet access requirements
Section 4: Access policies evaluation logic
• Operations logic
• Demonstration: Using an explicit deny in an IAM policy
• Amazon S3 object ownership
• Enforcing object ownership
Section 5: Managing access at scale using access points
• Principle of least privilege
• What is an access point?
• Access points ARN format
• How do access points work?
• Access points access control mechanisms
• Block public access for access points
Section 6: Sharing objects using pre-signed URLs
• Introduction to pre-signed URLs
• Pre-signed URLs considerations
• Demonstration: Creating presigned URLs for S3 object access
Section 7: Protecting sensitive data using encryption
• Data in transit and data at rest
• Data in transit
• Ensuring encrypted connections
• AWS Config rules
• Server side encryption
• Server-side encryption options
• S3 bucket keys for SSE-KMS
• Using Amazon S3 default encryption
Section 8: Simplify access with Amazon VPC endpoints
• What is a VPC endpoint?
• Types of VPC endpoints
• Feature comparison
• How do gateway endpoints work?
• Access control using endpoint policies
• Endpoint policy example
• Bucket policies example
• Interface endpoints
• On-premises connectivity
• Securing endpoints
Section 9: Security monitoring and dashboards
• Introduction to Amazon Macie
• Introduction to Amazon GuardDuty
