DEV Community

Cover image for How to securely deploy an AWS-S3 bucket with Terraform
Augusto Valdivia for AWS Community Builders

Posted on

How to securely deploy an AWS-S3 bucket with Terraform

In this article, you will learn how to securely deploy and configure an AWS-S3 bucket using Terraform. You might be asking yourself, wait a minute, this is an easy task, so why do I need a template to achieve it?

The answer to this question is yes, it is an easy task, but represents a huge risk if you don't select the security boxes every time you create one manually. What if you need to create 100 plus buckets manually every day? What are the chances that you might forget to select one of the security boxes? Thus, having a securely configured Terraform template could mitigate that risk of being caught in a news headliner. I know you have seen them more often than not.

Some news headliners that I have seen include:

"AWS S3 storage buckets leaking due to misconfiguration”
“Unprotected AWS buckets again involved in multiple data leaks”
“Another misconfigured AWS S3 bucket exposes”

We cannot change the past but we definitely can change the future.

Let’s explore further. Amazon Simple Storage Service (AKA S3) is an object storage service. S3 offers industry-leading scalability, data availability, security, and performance.

A few S3 use cases are:

  • Data lakes
  • Websites host
  • Mobile applications
  • IoT devices
  • Big data analytics

How S3 works

First you create a bucket and give a unique bucket name, select an AWS region where you would like to create your bucket then you upload and store your data as objects within the bucket or buckets. Objects are files and any metadata that describes your file or files.

What are some elements that are included in AWS-S3?

Buckets: A bucket is a container for objects stored in Amazon S3.

Regions: AWS Region where Amazon S3 stores the buckets that you create

Objects: Objects are the basic entities stored in Amazon S3.

Keys: Are unique identifiers for an object or objects within a bucket.

S3 Versioning: You can use S3 versioning to keep many variants of an object in the same bucket.

Version ID: Is Amazon S3 generates unique version ID for each object added to a bucket.

Bucket policy: A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy that you can use to grant access permissions to your bucket and the objects in it.

Access control lists (ACLs): ACLs grant read and write permissions to authorized users for individual buckets and objects.

As you can see S3 is not only used to store your data it has functionalities beyond that. Oh, right let’s finally get into some serious business and let’s build and securely configure an S3 bucket with a reusable Terraform template.

There are a few standards of security configurations that you are probably using every time you create an S3 bucket thus I will not touch those. Instead, I will share with you those that I haven’t seen that often and are powerful settings for securing your bucket(s).

Security bucket list:

S3 block public access: This feature provides access only to the bucket(s) owner and AWS services with public policy attached to it.

S3 bucket logging unable: This feature is great for auditing your bucket(s).

S3 block public policy: This feature protects your bucket from accidentally getting a policy that would enable public access.

S3 objects version: This feature helps you to maintain, regain, and reinstate the versions of every object stored in your bucket(s).

If you know of other not commonly used S3 features please share in the comments below.

Terraform code previous:

resource "aws_s3_bucket" "secure_bucket" {
  bucket        = var.bucket_name
  force_destroy = false

  tags = {
    Name        = "secure-bucket"
    Environment = "Dev"


resource "aws_s3_bucket_acl" "secure_bucket_acl" {
  bucket =
  acl    = "private"

resource "aws_s3_bucket_versioning" "secure_bucket_versioning" {
  bucket =
  versioning_configuration {
    status = "Enabled"
Enter fullscreen mode Exit fullscreen mode

Now let’s get our hands dirty. Please find the GitHub repository with details of how to run this template here:Link-to-the-repo

Hopefully this was helpful and it will enhance the security of your new S3 buckets.

Thank you for reading.

Top comments (0)