📋 S3 Security Cheat Sheet

Quick-reference for S3 bucket policies, encryption, Block Public Access, Object Lock, access points, and data protection patterns.

Block Public Access

  • 4 settings: BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, RestrictPublicBuckets
  • Can apply at account level (all buckets) or bucket level
  • Overrides bucket policies and ACLs that grant public access
  • Enable at account level as a preventive control

Encryption Options

  • SSE-S3 (AES-256): default, AWS manages keys entirely
  • SSE-KMS: CMK for key control, audit via CloudTrail, bucket key for cost
  • SSE-C: customer provides key per request (key not stored by AWS)
  • Client-side encryption: encrypt before upload (full control)

Object Lock & Versioning

  • Object Lock: WORM (Write Once Read Many) — requires versioning
  • Governance mode: special permissions can override
  • Compliance mode: nobody can delete/overwrite (including root)
  • Legal hold: indefinite hold regardless of retention period

Access Control

  • Bucket policy: resource-based JSON policy (preferred over ACLs)
  • Access points: named network endpoints with custom policies
  • S3 Access Grants: map identities to S3 data via Identity Center
  • VPC endpoint policy: restrict S3 access from within VPC

Practice S3 Security Questions

Put your knowledge to the test with practice questions.

S3 Security Questions →Full SCS-C02 Quiz

More SCS-C02 Cheat Sheets

📋IAM & Access Control Cheat Sheet📋KMS & Encryption Cheat Sheet📋GuardDuty & Threat Detection Cheat Sheet📋Security Incident Response Cheat Sheet📋Compliance & Governance Cheat Sheet
← SCS-C02 Study HubFree Mock Exam7-Day Study Plan