How to Protect AWS S3 Buckets and Prevent Data Leaks

TechOps Examples

Hey — It's Govardhana MK 👋

Welcome to another technical edition.

Every Tuesday – You’ll receive a free edition with a byte-size use case, remote job opportunities, top news, tools, and articles.

Every Thursday and Saturday – You’ll receive a special edition with a deep dive use case, remote job opportunities, and articles.

👋 👋 A big thank you to today's sponsor THE HUSTLE DAILY

200+ AI Side Hustles to Start Right Now

While you were debating if AI would take your job, other people started using it to print money. Seriously.

That's not hyperbole. People are literally using ChatGPT to write Etsy descriptions that convert 3x better. Claude to build entire SaaS products without coding. Midjourney to create designs clients pay thousands for.

The Hustle found 200+ ways regular humans are turning AI into income. Subscribe to The Hustle for the full guide and unlock daily business intel that's actually interesting.

Start making AI money

👀 Remote Jobs

• Quokka is hiring a DevOps Engineer

  Remote Location: Worldwide

• Espresso Systems is hiring a DevOps Engineer

  Remote Location: Worldwide

Powered by: Jobsurface.com

Browse 754 Worldwide Jobs Here →

📚️ Resources

• From Signals to Reliability: SLOs, Runbooks and Post-Mortems

• OpenTelemetry Collector vs agent: How to choose the right telemetry approach

• Building a Serverless CI/CD Pipeline on AWS with Github Actions and Terraform

Looking to promote your company, product, service, or event to 60,000+ Cloud Native Professionals? Let's work together. Advertise With Us

🧠 DEEP DIVE USE CASE

How to Protect AWS S3 Buckets and Prevent Data Leaks

Misconfigured S3 buckets are a leading cause of data leaks in the cloud. Public access settings often expose private information to the internet, costing companies millions and damaging customer trust. Can’t believe?

Before jumping into storage level protections, let us first understand how encryption works in simple terms.

Data is locked using one key and unlocked using another. The public key is used to lock the data. The secret key is used to unlock it. Without the secret key, no one can read the data. This is the basic idea behind how most secure systems protect information.

Amazon S3 supports multiple options to encrypt objects at rest, but it's important to note that S3 does not encrypt your data by default. You have to choose and configure the encryption method that fits your needs. Before choosing, ask yourself:

Who encrypts the data?
Where is the key stored?
Who manages the key?

Here are the four methods available for encrypting objects in S3: SSE-S3, SSE-KMS, SSE-C, Client Side Encryption

1. SSE-S3

This is the easiest way to get encryption at rest with zero code changes.

• Encrypts your objects using AES-256 automatically during upload.

• Decrypts them transparently during download.

• All keys are fully managed by AWS. You don’t create, rotate, or store anything.

You can enable SSE-S3 in two ways:

1. Per object: Use this header when uploading

x-amz-server-side-encryption: AES256

2. Bucket wide default:

Go to S3 > Bucket > Properties > Default Encryption, and choose AES-256.

This ensures all uploads to the bucket are encrypted without requiring any headers from clients.

What to watch out for:

• Since AWS owns the keys, you won’t get CloudTrail events for key access.

• You cannot define key rotation intervals or custom key policies.

• Default encryption helps, but old objects uploaded before enabling it remain unencrypted.

Use S3 Inventory Reports to confirm which objects are encrypted.

2. SSE-KMS

SSE-KMS builds on top of SSE-S3 but gives you more control over key management and access monitoring.

• Uses AWS KMS to manage encryption keys.

• Encrypts objects with a unique data key, which is itself protected by a Customer Master Key (CMK) in KMS.

• Decryption requires permissions not just to the S3 object but also to the KMS key.

You can enable SSE-KMS in two ways:

1. Per object: Add this header when uploading:

x-amz-server-side-encryption: aws:kms

2. Bucket wide default:

Under S3 > Bucket > Properties > Default Encryption, choose AWS Key Management Service key (SSE-KMS) and select a KMS key (either AWS-managed or customer-managed).

What you can control:

• You can create, name, and define key policies for each key.

• You can let AWS auto rotate keys annually or manually rotate them yourself.

• Each encryption and decryption action is logged in AWS CloudTrail, including who accessed what and when.

If a user has S3 access but lacks kms:Decrypt on the KMS key, the download will fail.

A gift from me to you 🎁

🔴 Practical Linux Guide for DevOps Engineers - Get better at Linux with practical concepts that actually matter in DevOps.

It’s designed to be a reference you can come back to whenever you need clarity.

Become a paying subscriber to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In.

Paid subscriptions get you:

• • Access to archive of 250+ use cases
• • Deep Dive use case editions (Thursdays and Saturdays)
• • Access to Private Discord Community
• • Invitations to monthly Zoom calls for use case discussions and industry leaders meetups
• • Quarterly 1:1 'Ask Me Anything' power session