AWS S3 Security: Bucket Policies, Encryption, and Data Protection

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

S3 is the most commonly misconfigured AWS service. Public bucket incidents make headlines regularly, and they are almost always preventable. S3 has strong security controls, but you need to understand and apply them correctly. Default settings have improved significantly, but defaults alone are not enough for sensitive data.

Block Public Access

Enable S3 Block Public Access at the account level. This overrides any bucket policy or ACL that would make a bucket or object public. There are four independent settings — enable all of them unless you have a specific, documented reason for public access (like hosting a static website).

If you do need a public bucket, create it in a separate, dedicated AWS account with no other resources. Apply SCPs to your other accounts that prevent disabling Block Public Access.

Bucket Policies

Bucket policies are resource-based policies attached to the bucket. Use them to:

• Deny unencrypted uploads: require s3:x-amz-server-side-encryption in every PutObject request
• Restrict access by VPC endpoint: use aws:sourceVpce to ensure data access only comes from within your network
• Enforce TLS: deny requests where aws:SecureTransport is false
• Limit access by organization: use aws:PrincipalOrgID to ensure only accounts in your org can access the bucket

Always include an explicit deny for actions you want to prohibit. Explicit deny overrides any allow, providing a strong guardrail.

Encryption

S3 now encrypts all new objects with SSE-S3 (AES-256) by default. But for regulated data, you want SSE-KMS with a customer-managed key. This gives you audit trail (every decryption is logged in CloudTrail), access control through the key policy, and the ability to revoke access by disabling the key.

For the highest security requirements, use SSE-KMS with bucket keys enabled to reduce KMS API costs. Client-side encryption adds another layer but increases application complexity — use it when you need to ensure AWS cannot access plaintext data.

S3 Access Points

Access points simplify access management for shared buckets. Instead of a single complex bucket policy trying to handle different access patterns for different teams, create an access point per team or application with its own policy.

Each access point can be restricted to a specific VPC, making it impossible to access from outside your network. This is cleaner than VPC endpoint conditions in bucket policies.

Object Lock

Object Lock prevents deletion or modification of objects for a defined retention period. Use it for compliance (WORM storage requirements), backup protection, and log integrity. Governance mode allows users with special permissions to override retention; Compliance mode prevents anyone, including the root account, from deleting objects until the retention period expires.

Apply Object Lock to buckets storing CloudTrail logs, application audit logs, and any data subject to regulatory retention requirements.

Amazon Macie

Macie scans S3 buckets for sensitive data: PII, financial data, credentials, API keys. Enable it across your organization to automatically discover and classify sensitive data in S3.

Use Macie findings to identify buckets that contain sensitive data but lack appropriate controls. If Macie finds credit card numbers in a bucket that is accessible from the internet, that is a finding you need to act on immediately.

Next Steps

• Test your S3 and data security knowledge with a skills assessment
• Browse cloud security topics in the skills library
• Use the workspace to practice S3 bucket policy configuration

Related Guides in This Series

• Active Directory Security: Attack Paths and Hardening — HADESS | 2026
• AWS ALB Security: TLS, Authentication, and Access Controls — HADESS | 2026
• AWS CloudTrail: Log Analysis and Security Monitoring — HADESS | 2026

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.