S3 security combines block public access, bucket policies, IAM policies, encryption, and optional versioning to recover from accidental overwrites or deletes.
Block Public Access
Enable Block all public access at account and bucket level by default. Public buckets have caused major data leaks—treat open access as explicit, reviewed exception.
Encryption
- SSE-S3 — AWS-managed keys
- SSE-KMS — KMS keys with audit trail
- SSE-C — customer-provided keys (advanced)
Security depth continues on Cybersecurity.
Enable versioning
aws s3api put-bucket-versioning \
--bucket my-unique-learning-bucket-12345 \
--versioning-configuration Status=Enabled
# Upload same key twice — previous version retained as noncurrentPractice: Create S3 buckets and VPC resources only in a sandbox account. Use unique bucket names globally; delete buckets and empty objects when finished.
Bucket policy snippet (concept)
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:user/SandboxReader"},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-unique-learning-bucket-12345/*"
}]
}Use least privilege—never Principal: "*" with sensitive data unless intentional static hosting with read-only public objects.
Important interview questions and answers
- Q: Why block public access?
A: Prevents accidental exposure of private data to the entire internet. - Q: Versioning benefit?
A: Recover prior object versions after overwrite or delete marker mistakes.
Self-check
- Name two S3 encryption options.
- What does S3 Block Public Access prevent?
Tip: Enable Block Public Access at account level before creating first bucket.
Interview prep
- Block Public Access?
Prevents accidental public exposure of bucket contents.
- Versioning?
Retains noncurrent object versions after overwrite or delete marker.