
New S3 Security and Encryption Features - jeffbarr
https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/
======
guitarbill
> Permission Checks – The S3 Console now displays a prominent indicator next
> to each S3 bucket that is publicly accessible.

> Default Encryption – You can now mandate that all objects in a bucket must
> be stored in encrypted form without having to construct a bucket policy that
> rejects objects that are not encrypted.

Given how many companies lost data through misconfigured S3 buckets, and how
easy it is to do, these two seem like a good idea.

~~~
toomuchtodo
Companies should be using auto-remediation with AWS Config and Lambda to
detect any S3 bucket that is publicly available and immediately removing that
access unless the bucket is whitelisted. An indicator is nice, but if your
policy doesn't exist as code, it doesn't exist.

Disclaimer: We built this at my current org to prevent people from cutting
their fingers off with self-service S3 access across application development
teams.

~~~
guitarbill
> Companies should be

Yes well, but they aren't - so these improvements are at least pragmatic.

------
mrguyorama
It has been a while since I've touched S3 buckets. Are they private by
default? Should they be?

