Pass the AWS Certified Solutions Architect Associate Certification SAA-C03-(Episode 12: S3 Security)

📌 Notice

Welcome to the series of blog in my AWS Certified Solutions Architect Associate (SAA-C03) exam preparation series! If you’re looking to pass this challenging yet rewarding certification, you’re in the right place.

Throughout this blog series, you’ll master core AWS architecture concepts — from IAM security fundamentals to advanced VPC networking, cost-optimized EC2 deployments, serverless patterns with Lambda, and multi-region disaster recovery strategies. We’ll break down all key services (S3, RDS, CloudFront etc.) through real-world solution architectures and exam-focused scenarios. Each post will include hands-on walkthroughs, pro tips for the SAA-C03 exam, and best practices used by AWS professionals. Get ready to transform from AWS beginner to certified Solutions Architect!

Note : The blog will be updated with the extra questions and CDK Implementation in a timely manner

🌟 Introduction

In today’s data-driven world, securing sensitive information is non-negotiable. Amazon S3 (Simple Storage Service) offers robust encryption mechanisms to protect your data both at rest and in transit, ensuring compliance with regulatory standards like GDPR, HIPAA, and PCI-DSS. Whether you need automatic encryption managed by AWS (SSE-S3), granular control with AWS KMS (SSE-KMS), or customer-provided keys (SSE-C), S3 provides flexible options to meet your security needs. By implementing S3 encryption, you safeguard data from unauthorized access, mitigate breaches, and maintain trust with stakeholders — all while seamlessly integrating with AWS’s scalable cloud infrastructure. Let’s explore how S3 encryption works and how to choose the right approach for your use case.

Amazon S3 — Object Encryption

SSE — Server Side Encryption

1. Amazon S3 Encryption — SSE-S3

• Encryption using keys handled, managed, and owned by AWS
• Object is encrypted server-side
• Encryption type is AES-256
• Must set header “x-amz-server-side-encryption”: “AES256”
• Enabled by default for new buckets & new objects

Amazon S3 Encryption — SSE-KMS

• Encryption using keys handled and managed by AWS KMS (Key Management Service)
• KMS advantages: user control + audit key usage using CloudTrail
• Object is encrypted server side
• Must set header “x-amz-server-side-encryption”: “aws:kms”

SSE-KMS Limitation

• If you use SSE-KMS, you may be impacted by the KMS limits
• When you upload, it calls the GenerateDataKey KMS API
• When you download, it calls the Decrypt KMS API
• Count towards the KMS quota per second (5500, 10000, 30000 req/s based on region)
• You can request a quota increase using the Service Quotas Console

Amazon S3 Encryption — SSE-C

• Server-Side Encryption using keys fully managed by the customer outside of AWS
• Amazon S3 does NOT store the encryption key you provide
• HTTPS must be used
• Encryption key must provided in HTTP headers, for every HTTP request made

Amazon S3 Encryption — Client-Side Encryption

• Use client libraries such as Amazon S3 Client-Side Encryption Library
• Clients must encrypt data themselves before sending to Amazon S3
• Clients must decrypt data themselves when retrieving from Amazon S3
• Customer fully manages the keys and encryption cycle

Amazon S3 — Encryption in transit (SSL/TLS)

• Encryption in flight is also called SSL/TLS
• Amazon S3 exposes two endpoints:
  • HTTP Endpoint — non encrypted
  • HTTPS Endpoint — encryption in flight
• HTTPS is recommended
• HTTPS is mandatory for SSE-C
• Most clients would use the HTTPS endpoint by default

Amazon S3 — Force Encryption in Transit aws:SecureTransport

Amazon S3 — Default Encryption vs. Bucket Policies

• SSE-S3 encryption is automatically applied to new objects stored in S3 bucket

• Optionally, you can “force encryption” using a bucket policy and refuse any API call to PUT an S3 object without encryption headers (SSE-KMS or SSE-C)

Note: Bucket Policies are evaluated before “Default Encryption”

What is CORS (Cross-Origin Resource Sharing)?

• Origin = scheme (protocol) + host (domain) + port

example: https://www.example.com (implied port is 443 for HTTPS, 80 for HTTP)

• Web Browser based mechanism to allow requests to other origins while
  visiting the main origin
• Same origin: http://example.com/app1 & http://example.com/app2
• Different origins: http://www.example.com & http://other.example.com
• The requests won’t be fulfilled unless the other origin allows for the
  requests, using CORS Headers (example: Access-Control-Allow-Origin)

Amazon S3 — CORS

• If a client makes a cross-origin request on our S3 bucket, we need to enable the correct CORS headers
• It’s a popular exam question
• You can allow for a specific origin or for * (all origins)

Amazon S3 — MFA Delete

• MFA (Multi-Factor Authentication) — force users to generate a code on a
  device (usually a mobile phone or hardware) before doing important
  operations on S3
• MFA will be required to:
  • Permanently delete an object version
  • Suspend Versioning on the bucket
• MFA won’t be required to:
  • Enable Versioning
  • List deleted versions
• To use MFA Delete, Versioning must be enabled on the bucket
• Only the bucket owner (root account) can enable/disable MFA Delete

S3 Access Logs

• For audit purpose, you may want to log all access to S3 buckets
• Any request made to S3, from any account, authorized or denied,
  will be logged into another S3 bucket

• That data can be analyzed using data analysis tools
• The target logging bucket must be in the same AWS region

S3 Access Logs:Warning

• Do not set your logging bucket to be the monitored bucket
• It will create a logging loop, and your bucket will grow exponentially

Amazon S3 — Pre-Signed URLs

• Generate pre-signed URLs using the S3 Console, AWS CLI or SDK
• URL Expiration
  • S3 Console — 1 min up to 720 mins (12 hours)
  • AWS CLI — configure expiration with — expires-in parameter in seconds
  (default 3600 secs, max. 604800 secs ~ 168 hours)
• Users given a pre-signed URL inherit the permissions of the user
  that generated the URL for GET / PUT
• Examples:
  • Allow only logged-in users to download a premium video from your S3
  bucket
  • Allow an ever-changing list of users to download files by generating URLs dynamically
  • Allow temporarily a user to upload a file to a precise location in your S3 bucket

S3 Glacier Vault Lock

• Adopt a WORM (Write Once Read Many) model
• Create a Vault Lock Policy
• Lock the policy for future edits (can no longer be changed or deleted)
• Helpful for compliance and data retention

S3 Object Lock (versioning must be enabled)

When dealing with sensitive data — especially in regulated industries like finance, healthcare, or legal sectors — you need a way to ensure that critical files cannot be deleted or modified for a set period. Amazon S3 offers Object Lock, a feature that enforces WORM (Write Once Read Many) protection.

1. What is WORM in Amazon S3?

WORM ensures that once an object is written, it cannot be altered or deleted for a defined period (or indefinitely). Amazon S3 supports this via:
✔ Retention Modes (Time-based protection)
✔ Legal Holds (Indefinite protection)

2. What is a Retention Period?

A retention period is a time-based lock that prevents S3 objects from being deleted or modified until the set duration expires. It’s part of S3 Object Lock’s WORM (Write Once Read Many) model.

3. Retention Modes: Compliance vs. Governance

When to Use Which?

• Compliance Mode → For legal/regulatory requirements
• Governance Mode → For internal audits where exceptions may be needed.

4. Retention Period vs. Legal Hold

5. How to Set Up Retention Periods

1. Prerequisites

• Enable Object Lock during bucket creation (cannot be added later!)

aws s3api create-bucket --bucket my-bucket --object-lock-enabled-for-bucket

2. Set Retention on an Object

Via AWS Console:

1. Upload a file to your S3 bucket.
2. Select the object → Object actions → Edit retention.
3. Choose:

• Governance Mode (flexible) or Compliance Mode (strict).
• Set a retention period (e.g., 365 days).

Via AWS CLI:

bash

aws s3api put-object-retention \
  --bucket my-bucket \
  --key document.pdf \
  --retention '{
    "Mode": "COMPLIANCE",
    "RetainUntilDate": "2025-12-31T00:00:00Z"
  }'

S3 — Access Points

1. Why Use S3 Access Points?

Managing permissions for large-scale S3 buckets can get messy. Amazon S3 Access Points simplify security by:
✔ Providing unique DNS endpoints for different applications/users
✔ Allowing fine-grained access policies (without complex bucket policies)
✔ Supporting VPC-only access for private workloads

2. Key Features

3. Types of Access Points

A. Internet-Accessible Access Points

• Use when apps/users outside AWS need S3 access.

B. VPC-Only Access Points (More Secure)

• We can define the access point to be accessible only from within the VPC
• You must create a VPC Endpoint to access the Access Point (Gateway or Interface Endpoint)
• The VPC Endpoint Policy must allow access to the target bucket and Access Point

S3 Object Lambda

Amazon S3 is perfect for storing files — but what if you need to modify data before delivering it to users?

• Redact sensitive info for different teams
• Convert file formats (XML → JSON) dynamically
• Resize images based on user requests

Solution: S3 Object Lambda — Process objects in real-time using AWS Lambda before they’re retrieved!

• Use AWS Lambda Functions to change the object before it is retrieved by the caller application
• Only one S3 bucket is needed, on top of which we create S3 Access Point and S3 Object Lambda Access Points.

How S3 Object Lambda Works

Why This Beats Traditional Approaches

AWS Hands-On

• S3 Encryption — Click Here
• S3 CORS — Click Here
• S3 MFA — Click Here
• S3 Access Logs — Click Here
• S3 Pre-signed URLs — Click Here

AWS Cloud Practitioner Questions

• S3 Security — Click Here

AWS Solution Architect Associate Questions

• AWS SAA-C03 Sample Questions — Click Here

🧾 Conclusion

AWS S3 provides robust security features like encryption (SSE-S3/KMS/C), Object Lock (WORM), Access Points, and Object Lambda to protect data at rest and in transit. Use Retention Periods for time-based immutability and Legal Holds for indefinite protection. VPC-restricted Access Points enhance privacy, while Object Lambda enables real-time data transformations. Always enable default encryption and versioning to safeguard against breaches. Together, these tools ensure compliance, prevent unauthorized access, and maintain data integrity in any workflow.

Next Episode : “Pass the AWS Certified Solutions Architect Associate Certification SAA-C03! (Episode 14: Cloud-front & Global Accelerator )”

To stay informed on the latest technical insights and tutorials, connect with me on Medium and LinkedIn. For professional inquiries or technical discussions, please contact me via email. I welcome the opportunity to engage with fellow professionals and address any questions you may have.