AWS S3 (Simple Storage Service) is one of the core building blocks of the AWS cloud ecosystem. While it is powerful and widely adopted, improper configuration can expose sensitive data, allow unintended access, and lead to costly security incidents.

1. Fundamentals of AWS S3

A. What is Amazon S3?

Amazon S3 is a cloud-based object storage service launched in March 2006. It provides highly scalable, durable, and cost-effective storage for files such as images, documents, logs, application data, and backups.

Key properties:

• Up to 100 buckets per AWS account (can request more with a limit increase).
• Unlimited objects per bucket.
• Maximum object size: 5 TB (larger files must be broken up).
• Stores trillions of objects globally.
• Can host static websites and act as a CloudFront origin.

B. S3 Security Model

S3 security is built around controlled access and encryption:

1. Default Access Behavior

• By default, S3 buckets and objects are not publicly accessible.
• Only the owning AWS account has access unless policies allow otherwise.

2. IAM and Bucket Policies

• IAM users can access S3 only if their IAM policies grant permission.
• Bucket policies can grant or restrict access to users, roles, accounts, or the public.
• Both IAM and bucket policies combine to determine the final permission set.

3. Cross-Account Access