AWS SCP for S3: Restrict and Secure Bucket Uploads Effectively

Amazon S3 (Simple Storage Service) is one of AWS's most widely used storage solutions. To ensure the security and compliance of data stored in S3, it is essential to enforce encryption and control access to specific resources. This article presents a real-world scenario in question format, followed by a detailed explanation of the SCP that addresses it.

Scenario: How to Securely Upload Sensitive Data to S3?

A development team uploads sensitive financial reports to an S3 bucket. The company mandates that all files be encrypted using specific KMS keys to comply with regulatory standards. Developers are required to ensure their setup adheres to these encryption requirements while avoiding accidental policy violations. How can this be achieved using AWS Service Control Policies (SCP)?

Solution: SCP to Enforce Secure Uploads

The provided SCP addresses the above scenario by:

1. Denying unencrypted uploads.

2. Ensuring only specific AWS KMS keys are used for encryption.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "DenyUnencryptedUploads",
                "Effect": "Deny",
                "Action": "s3:PutObject",
                "Resource": [
                    "arn:aws:s3:::*/secure-data/*",
                    "arn:aws:s3:::*/private/*",
                    "arn:aws:s3:::*/public/*"
                ],
                "Condition": {
                    "StringNotEquals": {
                        "s3:x-amz-server-side-encryption": "aws:kms"
                    }
                }
            },
            {
                "Sid": "DenyWrongKMSKeyUploads",
                "Effect": "Deny",
                "Action": "s3:PutObject",
                "Resource": [
                    "arn:aws:s3:::*/secure-data/*",
                    "arn:aws:s3:::*/private/*",
                    "arn:aws:s3:::*/public/*"
                ],
                "Condition": {
                    "ForAnyValue:StringNotEquals": {
                        "s3:x-amz-server-side-encryption-aws-kms-key-id": [
                            "arn:aws:kms:ap-south-1:aws-accound-id:key/kms-key-id",
                            "arn:aws:kms:us-east-1:aws-account-id:key/kms-key-id"
                        ]
                    }
                }
            }
        ]
    }
   

   Explanation:

   1. Denying Unencrypted Uploads (DenyUnencryptedUploads)

   This statement ensures that objects uploaded to specific S3 paths are encrypted using server-side encryption (SSE) with AWS KMS. If SSE is not enabled or if a method other than KMS is used, the upload is denied.

   • Action: s3:PutObject applies the policy to upload operations.

   • Resource: Targets specific S3 paths:

     • arn:aws:s3:::*/secure-data/*

     • arn:aws:s3:::*/private/*

     • arn:aws:s3:::*/public/*

   • Condition: Requires the s3:x-amz-server-side-encryption header to be set to aws:kms.

2. Denying Uploads with Incorrect KMS Keys (DenyWrongKMSKeyUploads)

This statement ensures that uploads use one of the approved AWS KMS keys for encryption.

• Condition: Validates that the s3:x-amz-server-side-encryption-aws-kms-key-id matches one of the specified KMS key ARNs:

  • arn:aws:kms:ap-south-1:142298165299:key/468b64da-3f3c-4434-bf50-7c27e8dc3c1e

  • arn:aws:kms:us-east-1:142298165299:key/ac8a8332-0254-4114-93cf-05fd79d24872

Expected Behavior:

• Allowed: Uploading an object to s3://my-bucket/secure-data/ with SSE-KMS using an approved key.

• Denied: Uploads without encryption or with incorrect KMS keys.

Steps to Test:

1. Upload Without Encryption:

   • Command:

       aws s3 cp report.pdf s3://my-bucket/secure-data/ --region ap-south-1
     

     Expected Result: The upload fails with an error stating that server-side encryption is required.

2. Upload With SSE Using Incorrect Encryption Method:

   • Command:

   •   aws s3 cp report.pdf s3://my-bucket/secure-data/ --sse AES256 --region ap-south-1
     

   • Expected Result: The upload fails because the policy requires AWS KMS encryption.

3. Upload With SSE Using the Correct KMS Key:

   • Command:

   •   aws s3 cp report.pdf s3://my-bucket/secure-data/ --sse aws:kms --sse-kms-key-id arn:aws:kms:ap-south-1:aws-accound-id:key/aws-kms-id --region ap-south-1
     

   • Expected Result: The upload succeeds.

4. Upload With SSE Using Incorrect KMS Key:

   • Command:

   •   aws s3 cp report.pdf s3://my-bucket/secure-data/ --sse aws:kms --sse-kms-key-id arn:aws:kms:ap-south-1:aws-account-id:key/invalid-key-id --region ap-south-1
     

   • Expected Result: The upload fails because the specified KMS key is not authorized by the policy.

Conclusion

By applying this SCP, organizations can enforce secure uploads to S3 buckets, ensure compliance with encryption standards, and prevent unauthorized uploads.