Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security best practices for S3 Express One Zone

Amazon S3 Express One Zone provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don't represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful recommendations rather than prescriptions.

Default Block Public Access and Object Ownership settings

To use the S3 Express One Zone storage class, you must use an S3 directory bucket. Directory buckets support S3 Block Public Access and S3 Object Ownership. These S3 features are used to audit and manage access to your buckets and objects.

By default, all Block Public Access settings for directory buckets are enabled. In addition, Object Ownership is set to bucket owner enforced, which means that access control lists (ACLs) are disabled. These settings can't be modified. For more information about these features, see Blocking public access to your Amazon S3 storage and Controlling ownership of objects and disabling ACLs for your bucket.

Authentication and authorization

The authentication and authorization mechanisms for S3 Express One Zone differ, depending on whether you are making requests to Zonal endpoint API operations or Regional endpoint API operations. Zonal API operations are object-level (data plane) operations. Regional API operations are bucket-level (control plane) operations.

With S3 Express One Zone, you authenticate and authorize requests to Zonal endpoint API operations through a new session-based mechanism that is optimized to provide the lowest latency. With session-based authentication, the Amazon SDKs use the CreateSession API operation to request temporary credentials that provide low-latency access to your directory bucket. These temporary credentials are scoped to a specific directory bucket and expire after 5 minutes. You can use these temporary credentials to sign Zonal (object level) API calls. For more information, see CreateSession authorization.

Signing requests with S3 Express One Zone credentials

You use your S3 Express One Zone credentials to sign Zonal endpoint (object level) API requests with Amazon Signature Version 4, with s3express as the service name. When you sign your requests, use the secret key that's returned from CreateSession and also provide the session token with the x-amzn-s3session-token header. For more information, see CreateSession.

The supported Amazon SDKs for S3 Express One Zone class manage credentials and signing on your behalf. We recommend using the Amazon SDKs for S3 Express One Zone to refresh credentials and sign requests for you.

Signing requests with IAM credentials

All Regional (bucket-level) API calls must be authenticated and signed by Amazon Identity and Access Management (IAM) credentials instead of temporary session credentials. IAM credentials consist of the access key ID and secret access key for the IAM identities. All CopyObject and HeadBucket requests must also be authenticated and signed by using IAM credentials.

To achieve the lowest latency for your Zonal (object-level) operation calls, we recommend using S3 Express One Zone credentials obtained from calling CreateSession to sign your requests, except for requests to CopyObject and HeadBucket.

Use Amazon CloudTrail

Amazon CloudTrail provides a record of the actions taken by a user, a role, or an Amazon Web Service in Amazon S3. You can use information collected by CloudTrail to determine the following:

When you set up your Amazon Web Services account, CloudTrail is enabled by default. The following Regional endpoint API operations (bucket-level, or control plane, API operations) are logged to CloudTrail.

You can view recent events in the CloudTrail console. To create an ongoing record of activity and events for your Amazon S3 buckets, you can create a trail in the CloudTrail console. For more information, see Creating a trail in the Amazon CloudTrail User Guide.

Implement monitoring by using Amazon monitoring tools

Monitoring is an important part of maintaining the reliability, security, availability, and performance of Amazon S3 and your Amazon solutions. Amazon provides several tools and services to help you monitor Amazon S3 and your other Amazon Web Services. For example, you can monitor Amazon CloudWatch metrics for Amazon S3, particularly the BucketSizeBytes and NumberOfObjects storage metrics.

Objects stored in the S3 Express One Zone storage class won't be reflected in the BucketSizeBytes and NumberOfObjects storage metrics for Amazon S3. However, the BucketSizeBytes and NumberOfObjects storage metrics are supported for S3 Express One Zone. To see the metrics of your choice, you can differentiate between the Amazon S3 storage classes and the S3 Express One Zone storage class by specifying a StorageType dimension. For more information, see Monitoring metrics with Amazon CloudWatch.

For more information, see Monitoring metrics with Amazon CloudWatch and Monitoring Amazon S3.