Unmatched security, compliance, and audit capabilities

Store your data in Amazon S3 and secure it from unauthorized access with encryption features and access management tools. S3 is the only object storage service that allows you to block public access to all of your objects at the bucket or the account level with S3 Block Public Access. S3 maintains compliance programs, such as PCI-DSS, HIPAA/HITECH, FedRAMP, EU Data Protection Directive, and FISMA, to help you meet regulatory requirements. AWS also supports numerous auditing capabilities to monitor access requests to your S3 resources.

Deep dive on Amazon S3 Security and Management

Amazon S3 security and access management

To protect your data in Amazon S3, by default, users only have access to the S3 resources they create. You can grant access to other users by using one or a combination of the following access management features: AWS Identity and Access Management (IAM) to create users and manage their respective access; Access Control Lists (ACLs) to make individual objects accessible to authorized users; bucket policies to configure permissions for all objects within a single S3 bucket; and Query String Authentication to grant time-limited access to others with temporary URLs. Amazon S3 also supports Audit Logs that list the requests made against your S3 resources for complete visibility into who is accessing what data.

Block Public Access

With a few clicks in the S3 management console, you can apply S3 Block Public Access to every bucket in your account – both existing and any new buckets created in the future – and make sure that there is no public access to any object. S3 Block Public Access settings override S3 permissions that allow public access, making it easy for the account administrator to set up a centralized control to prevent variation in security configuration regardless of how an object is added or a bucket is created.

Object Lock

Amazon S3 Object Lock blocks object version deletion during a customer-defined retention period so that you can enforce retention policies as an added layer of data protection or for regulatory compliance. You can migrate workloads from existing write-once-read-many (WORM) systems into Amazon S3, and configure S3 Object Lock at the object- and bucket-levels to prevent object version deletions prior to pre-defined Retain Until Dates or Legal Hold Dates.

AWS Trusted Advisor

Trusted Advisor inspects your AWS environment and then makes recommendations when opportunities exist to help close security gaps. 

Trusted Advisor has the following Amazon S3-related checks: logging configuration of Amazon S3 buckets,  security checks for Amazon S3 buckets that have open access permissions. fault tolerance checks for Amazon S3 buckets that don't have versioning enabled, or have versioning suspended.

Amazon Macie

Discover and protect sensitive data at scale in Amazon S3 with Amazon Macie. Macie automatically provides you with a full inventory of your S3 buckets by scanning buckets  to identify and categorize the data. You receive actionable security findings enumerating any data that fits these sensitive data types, including PII (e.g. customer names and credit cards numbers), and categories defined by privacy regulations, such as GDPR and HIPAA. Macie also automatically and continually evaluates bucket-level preventative controls for any buckets that are unencrypted, publicly accessible, or shared with accounts outside of your organization, allowing you to quickly address unintended settings on buckets.


Amazon S3 offers flexible security features to block unauthorized users from accessing your data. Use VPC endpoints to connect to S3 resources from your Amazon Virtual Private Cloud (Amazon VPC). Amazon S3 supports both server-side encryption (with three key management options: SSE-KMS, SSE-C, SSE-S3) and client-side encryption for data uploads. Use S3 Inventory to check the encryption status of your S3 objects (see storage management for more information on S3 Inventory).

Identity and Access Management

By default, all Amazon S3 resources—buckets, objects, and related subresources —are private: only the resource owner, an AWS account that created it, can access the resource. Amazon S3 offers access policy options broadly categorized as resource-based policies and user policies. You may choose to use resource-based policies, user policies, or some combination of these to manage permissions to your Amazon S3 resources. For more information, see Introduction to Managing Access Permissions to Your Amazon S3 Resources

Security and access management tutorial videos

At creation and by default, all S3 resources are private and can only be accessed by the resource owner or account administrator. This security design lets you configure finely-tuned access policies that align to organizational, governance, security, and compliance requirements. You can use S3 Block Public Access to restrict all access requests to your data. S3 also lets you chose among different encryption options. Watch the videos below to learn more.

Access management and security

Introduction to S3 access management and security

S3 Encryption options

S3 encryption options

Developer guide: Protecting data using encryption »
(with details for server-side and client-side options)

S3 Security blogs

AWS News Blog

Amazon Macie now with substantially reduced pricing

Amazon Macie is a fully managed service that helps you discover and protect your sensitive data, using machine learning to automatically spot and classify data for you. Now with simplified pricing: you are now charged based on the number of S3 buckets that are evaluated, and the amount of data processed for sensitive data discovery jobs. 

Read the blog »

AWS News Blog

S3 Block Public Access - Protection for accounts and buckets

Amazon S3 Block Public Access provides a new level of protection that works at the account level and also on individual buckets, including those that you create in the future. You have the ability to block existing public access (whether it was specified by an ACL or a policy) and to ensure that public access is not granted to newly created items.

Read the blog »

Werner Vogels' Blog

Providing security at scale with automated reasoning

Zelkova powers the Amazon S3 Block Public Access feature. Block Public Access disables public access control lists (ACLs) on buckets and objects in Amazon S3. It also prevents bucket policies that would allow public access. For existing policies that allow public access, the feature disallows access from outside of the bucket's account.

Read the blog »

AWS Storage Blog

Amazon S3 Block Public Access and S3 Object Lock

One of the reasons S3 has been so successful is our focus on data security right from the beginning. We continuously invest to raise the bar on security for storage, and work with customers to meet ever-increasing security needs while holding true to our mission to keep storage simple.

Read the blog »
Learn More About Amazon S3

Learn about Amazon S3 features.

Learn more 
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Start building in the console

Get started building with Amazon S3 in the AWS Management Console.

Sign in