In part 5 of our continuing series on AWS Best Practices, we cover real-world stats on storage, specifically public access on buckets and encryption of EBS volumes:
https://www.netskope.com/blog/a-real-world-look-at-aws-best-practices-storage
One of the challenges is having a clean process to provision, secure, and continually monitor whether data storage such an S3 bucket should be public or private.
How does your organization manage this?
- do you use tagging, resource groups, or accounts to identify whether buckets are expected to be private or public?
- do you enforce that a bucket is completely public/private by using bucket level ACLs/policies rather than object-level?
- do you have additional audit checks on the above?
Additionally, how do you look upon encryption at rest? Is it solely for compliance, so AWS keys are sufficient or do you use CMKs of your own for real data privacy?
Would love to hear comments on how customers are managing this crucial aspect of bucket security.