Infrastructure security in Amazon S3
As a managed service, Amazon S3 is protected by the Amazon global network security procedures that are described in the security pillar of the Amazon Well-Architected Framework.
Access to Amazon S3 via the network is through Amazon published APIs. Clients must support
Transport Layer Security (TLS) 1.2. We recommend also supporting TLS 1.3. (For more
information about this recommendation, see Faster Amazon cloud connections with TLS 1.3
These APIs are callable from any network location. However, Amazon S3 does support resource-based access policies, which can include restrictions based on the source IP address. You can also use Amazon S3 bucket policies to control access to buckets from specific virtual private cloud (VPC) endpoints, or specific VPCs. Effectively, this isolates network access to a given Amazon S3 bucket from only the specific VPC within the Amazon network. For more information, see Controlling access from VPC endpoints with bucket policies.
The following security best practices also address infrastructure security in Amazon S3: