♦ Enable Server-side encryption at rest and transit.
♦ Enable server access logging for all S3 buckets. Bucket access requests are captured and logged every few minutes and these logs can be stored in a separate S3 bucket.
♦ Enable versioning to keep multiple variants of an object in the same bucket. Use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. With versioning, you can easily recover from both unintended user actions and application failures.
♦ Enable S3 object locking feature for additional protection against object changes. S3 Object Locking makes it really difficult to edit or delete data from S3. Objects can be locked in two ways;
- by specifying a retention period or
- by placing a legal hold until manually deleting it.
Enable this for critical objects like cloudtrail logs.
♦ Set appropriate access policies on the buckets. You may configure policies for each bucket (resource-based policy) for the bucket or user-based policy (identity-based policy). E.g. a bucket policy allowing full bucket access to a user or a user-based policy allowing full access to a certain S3 bucket. For ease of maintenance, use only one type of policy for all of your S3 resources.
♦ Enable MFA Delete to prevent from accidental bucket deletions. MFA Delete requires additional authentication for either of the following operations:
- Changing the versioning state of your bucket
- Permanently deleting an object version