Back to Glossary

Glossary Term

Amazon S3

Amazon’s object storage service; powerful and durable, but misconfigured buckets routinely expose sensitive data.

2 min read

Share this definition

Post it to your feed or send it to teammates.

What it is

Amazon Simple Storage Service (S3) is a scalable object storage service that allows organizations to store and retrieve virtually any amount of data from anywhere. S3 underpins countless web applications, backup systems, and data lakes. Data resides in buckets, top-level containers that hold objects (files) and their metadata. Buckets support versioning, lifecycle rules, encryption, and fine-grained access controls via AWS Identity and Access Management (IAM) policies, bucket policies, and Access Control Lists (ACLs). Objects can be accessed through REST APIs, the AWS console, or SDKs, and S3’s design delivers 11 nines (99.999999999%) of durability by replicating data across multiple devices and facilities.

Security features include encryption at rest (SSE-S3, SSE-KMS) and in transit (HTTPS/TLS), S3 Object Lock for immutability, Cross-Region Replication for resilience, and integration with services like AWS CloudTrail, Config, and Macie. Yet the same flexibility that makes S3 powerful also creates risk: public buckets, overly permissive IAM roles, and disabled encryption remain common causes of data breaches.

Why it matters

S3’s ubiquity makes it a prime target for attackers, researchers, and compliance auditors. A single misconfigured bucket can expose sensitive customer data, credentials, or proprietary assets to the public internet. Numerous high-profile breaches trace back to unsecured S3 buckets, leading to fines, lawsuits, and reputational damage. Attackers constantly scan for publicly accessible buckets and may archive exposed data even after permissions are corrected. Weak IAM configurations or leaked access keys can allow unauthorized API calls, ransomware encryption, or large-scale data exfiltration.

How to reduce risk

  • Deny public access at both the account and bucket level using Block Public Access settings.
  • Apply least-privilege IAM roles and restrict cross-account access.
  • Enforce server-side encryption (SSE-KMS) and require HTTPS for all requests.
  • Continuously monitor with AWS Config, CloudTrail, and Amazon Macie for misconfigurations or sensitive data exposure.
  • Audit bucket policies, ACLs, and access logs regularly.
  • Enable versioning and MFA delete to guard against accidental or malicious deletions.
  • Integrate S3 posture checks into vulnerability management, IaC pipelines, and compliance scans.