Amazon S3 has been available to the public as a service since 2006, and it's been the target of some devastating data breaches over the years. It's a fantastic service, and it's what I use to host the frontend of this website, but S3 has also become the go to AWS service for security misconfiguration anecdotes.

It's important to understand how to keep your data secure when leveraging the Amazon S3 service, and one way to reduce the risk is to remove public access altogether for data stored in an S3 Bucket.

S3 Buckets are no longer public by default, and we can now enable Amazon S3 Block Public Access at the account level to be explicit in preventing public S3 Buckets. Of course this setting can be changed, but with the magic of Service Control Policies (SCPs) we can restrict the removal of this guardrail if we want to.

If we have assets that are meant to be publicly accessible, such as media or static web page files, we can provide access through CloudFront and Origin Access Control (OAC) or CloudFront signed URLs.

A nice bonus of utilising CloudFront, apart from its caching capabilities, is the ability to attach a WebACL, which is something we can’t do with direct S3 Bucket access.