Amazon S3 Adds New Features for Data Security and Compliance
You now have a number of new Amazon S3 features to augment data protection and simplify compliance.
Cross-Region Replication (CRR) can now replicate storage encrypted by the AWS Key Management Service (SSE-KMS) across AWS regions for low-latency data access, regulatory compliance, and operational efficiency.
CRR can also help you protect against malicious or accidental deletion by maintaining a pristine copy of your data in a separate account with a different ownership stack. CRR now supports ownership overwrite, which allows you to grant access to a different destination bucket owner and revoke access permission on the replicated objects from the source bucket owner. This provides separate ownership of your data between source and destination account when you set up CRR across accounts.
It is now easier to ensure encryption of all new objects and monitor and report on their encryption status. Default Encryption is a bucket-level setting that automatically encrypt objects when they are stored in an S3 bucket using server-side encryption with S3 managed keys (SSE-S3) or AWS KMS managed keys (SSE-KMS). S3 Inventory reports now include encryption status in its list of objects and their metadata. This is a scheduled report provided on a daily or weekly basis for a bucket or prefix. The addition of encryption status in S3 inventory allows you to see how objects are encrypted for compliance auditing or other purposes. You can also encrypt S3 Inventory with SSE-S3 or SSE-KMS.
The AWS console now highlights all publicly-accessible S3 buckets. Bucket Permissions Check will display the source for the public access (bucket policy, bucket ACLs, or both). In addition, when you change bucket policy or bucket ACLs, S3 console will analyze them and alert you if those changes will enable public read and write access on the bucket.
These new features are available in all commercial regions except AWS China (Beijing). Visit the AWS Management Console to get started. To learn more, read the AWS blog post.