Platform: AWS
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | False | AWS uses IAM roles and policies for authentication and authorization, not API keys in the traditional sense. | AWS does not use API Keys in this context |
| Authentication & Authorization | IAM Integration | True | AWS IAM provides granular access control to S3 buckets and objects using policies and roles. This allows for fine-grained control over who can access what. | |
| Authentication & Authorization | MFA | True | Multi-factor authentication is available for AWS IAM users who manage S3 resources. This is essential for security best practices but is not a direct feature of S3 itself. | Applies to IAM users, not S3 directly. |
| Authentication & Authorization | Service Account Support | True | AWS IAM provides service roles which allow programmatic access to S3 with clearly defined permissions. | |
| Authentication & Authorization | Standard Protocols | True | S3 supports various standard protocols, including HTTPS for secure communication. | |
| Compliance & Certifications | Compliance Documentation | True | AWS provides extensive compliance documentation for its services, including S3. | |
| Compliance & Certifications | Industry Certifications | True | AWS S3 adheres to numerous industry standards and certifications, such as ISO 27001, SOC 2, and others. Specific certifications vary by region and service. | |
| Data Loss Prevention (DLP) | Data Masking/Redaction | False | S3 doesn't offer built-in data masking/redaction. This functionality would need to be implemented by users before data is uploaded to S3. | No direct built-in functionality. |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | True | AWS services like Amazon Macie can be integrated to scan S3 buckets for sensitive data. | Requires integration with other AWS services. |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | Cross-region data transfers can be controlled through lifecycle policies, S3 object replication, and careful bucket configuration. However, it requires proactive configuration to prevent unintended data transfer. | Requires careful configuration. |
| Data Residency & Sovereignty | Data Location Transparency | True | AWS provides tools and documentation to help determine data location. The bucket's region is explicitly specified during creation, and AWS provides information about region availability. | |
| Data Residency & Sovereignty | Region Selection | True | AWS S3 allows you to specify the AWS region where your data will be stored. Data is generally not replicated across regions unless specifically configured for high availability or redundancy. | |
| Encryption | Encryption at Rest | True | S3 supports Server-Side Encryption (SSE) with various options, including AWS-managed keys (SSE-S3 and SSE-KMS), customer-managed keys (SSE-KMS using CMKs), and customer-provided keys (SSE-C). Key rotation is possible using the AWS KMS service. | |
| Encryption | Encryption in Transit | True | S3 uses TLS/SSL encryption for data in transit. AWS manages this automatically. Users can influence the strength to some extent via client-side configuration, although modern defaults are generally strong. | |
| Logging & Monitoring | Access Logging | True | S3 server access logs provide detailed information on all access requests made to the service. | |
| Logging & Monitoring | Audit Logging | True | AWS CloudTrail logs API calls made to S3. This provides a comprehensive audit trail for security and compliance. | |
| Logging & Monitoring | Log Retention | True | CloudWatch log retention policies can be configured to manage the length of time logs are stored. | |
| Logging & Monitoring | Monitoring & Alerting | True | Amazon CloudWatch can be integrated to monitor S3 metrics and set up alerts for anomalies or security events. | |
| Network Security | API Gateway Integration | True | AWS API Gateway can be used to manage and secure access to S3 through a central point. | Requires configuration. |
| Network Security | DDoS Protection | True | AWS offers various services, such as AWS Shield, to mitigate DDoS attacks against S3 buckets. | |
| Network Security | Firewall Rules | True | Access control lists (ACLs) and bucket policies act as ingress/egress controls. Network ACLs and security groups within a VPC further restrict access. | |
| Network Security | Private Access | True | S3 supports private access using Amazon VPC endpoints and VPC peering connections. | |
| Secure Development Lifecycle (SDL) | API Design Principles | True | While not explicitly detailed as a public document, AWS adheres to secure API design principles in the design and implementation of S3. | Implicit, not explicitly documented. |
| Secure Development Lifecycle (SDL) | Code Review & Testing | True | AWS employs secure coding practices and security testing throughout its software development lifecycle. Specific details aren't publicly disclosed. | Indirectly |
| Vulnerability Management & Patching | Security Updates | True | AWS is responsible for patching and updating the underlying S3 infrastructure. Updates are generally automatic and transparent to the user. | |
| Vulnerability Management & Patching | Vulnerability Scanning | True | AWS performs regular security assessments and penetration testing of its services. The details are not publicly available, however, AWS publishes security best practices and guidance relevant to S3 security. | Indirectly |