Search code examples
securityamazon-s3saas

What are the best practices to securely store/access SaaS customer data on Amazon S3?

To all those SaaS engineers/developers out there ...

I am building a SaaS product which will store customer data on S3. I wonder what is the best approach regarding security?

  • Have a single IAM user with a bucket policy. That would be simple but data security is handled purely by the SaaS app. In case of a glitch, other users could have access to restricted material.
  • What about creating an IAM user (via IAM REST API) for each new customer account and having object specific ACL for each stored object? More complex but it adds a layer of security in S3 as well.
  • Any other way?

Also, to provide access to the material via the SaaS app. I plan to have each object 'readable name' replaced with a guid so that it cannot be easily guessed and use pre-signed urls with a time limit to see and download them. Is that a best practice? What time limit is considered safe and user-friendly?

Thanks

Solution

  • You should never generate AWS IAM Users for "end-users" of your application (option 2). IAM grants permission to call AWS APIs and the end-users of your application should never need to call an API.

    Information stored in Amazon S3 should be available to your SaaS application via standard methods:

    • Create an IAM Role for your application
    • Select the IAM Role when launching Amazon EC2 instances that run your application
    • Any code running on the Amazon EC2 instances that uses the AWS SDK will know how to automatically access credentials via the EC2 instance metadata service

    If you wish to serve content from Amazon S3 directly to users of the application, generate Amazon S3 pre-signed URLs, that provide time-limited access to objects stored in S3 buckets. A 15-minute expiry duration could be a good trade-off between security and users who pause to take a phone call, but that timing is up to you.

    Your S3 bucket should not have a bucket policy because all access will be via permissions granted to the IAM Role, or via pre-signed URLs.

    The use of randomized GUIDs as filenames is irrelevant because you will have proper security rather than obfuscation.