A significant share of AWS security incidents starts with S3. From 2017 to 2022, about 35% of publicly disclosed data breaches were related to misconfigured S3 buckets. Verizon, Twitch, Toyota, GoDaddy — companies you know by name exposed tens of millions of records of personal information through S3 configuration mistakes. This day is about understanding the layered structure of the S3 security model, digging into the technical differences among encryption methods, and pointing out the traps that commonly arise in practice.
A request to S3 is evaluated in the following order