Cloud Storage Security Fundamentals

Cloud storage services are the most common source of data breaches. With 31% of S3 buckets publicly accessible and 46% potentially misconfigured, storage security requires immediate attention.

The Storage Breach Epidemic

Storage misconfigurations have caused some of the largest data exposures:

Incident	Year	Records Exposed	Root Cause
Capital One	2019	100+ million	SSRF + S3 access
Facebook	2019	540 million	Public S3 buckets
Football Australia	2024	127 containers	Misconfigured S3

Key statistics:

• 31% of S3 buckets are publicly accessible (Qualys)
• 46% of S3 buckets could be misconfigured and unsafe
• Storage misconfigurations are the #1 cause of cloud data exposure

Storage Services Comparison

Feature	AWS S3	Azure Blob	GCP Cloud Storage
Default access	Private (since 2023)	Private	Private
Encryption at rest	SSE-S3, SSE-KMS, SSE-C	Microsoft-managed, CMK	Google-managed, CMEK
Access control	Bucket policies, ACLs, IAM	RBAC, SAS tokens, ACLs	IAM, ACLs
Versioning	Supported	Soft delete, versioning	Object versioning
Logging	Server access logging	Diagnostic logs	Cloud Audit Logs

AWS S3 Security Deep Dive

Access Control Layers

S3 has multiple, overlapping access control mechanisms:

┌─────────────────────────────────────────────────────────┐
│                     Block Public Access                  │
│         (Account-level and bucket-level override)        │
├─────────────────────────────────────────────────────────┤
│                      Bucket Policy                       │
│              (Resource-based permissions)                │
├─────────────────────────────────────────────────────────┤
│                     IAM Policies                         │
│              (Identity-based permissions)                │
├─────────────────────────────────────────────────────────┤
│                         ACLs                             │
│           (Legacy, avoid for new buckets)                │
└─────────────────────────────────────────────────────────┘

Block Public Access Settings

The most important S3 security feature (enabled by default since 2023):

# Check block public access settings
aws s3api get-public-access-block --bucket my-bucket

# Enable all block public access settings (CIS recommended)
aws s3api put-public-access-block --bucket my-bucket \
    --public-access-block-configuration \
    BlockPublicAcls=true,\
    IgnorePublicAcls=true,\
    BlockPublicPolicy=true,\
    RestrictPublicBuckets=true

Secure Bucket Policy Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyInsecureTransport",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    },
    {
      "Sid": "RequireEncryption",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        }
      }
    }
  ]
}

Azure Blob Storage Security

Access Control Options

┌─────────────────────────────────────────────────────────┐
│                    Azure RBAC                            │
│         (Management plane + data plane access)           │
├─────────────────────────────────────────────────────────┤
│                  Access Keys                             │
│         (Full account access - avoid in production)      │
├─────────────────────────────────────────────────────────┤
│              Shared Access Signatures (SAS)              │
│         (Time-limited, scoped access tokens)             │
├─────────────────────────────────────────────────────────┤
│             Microsoft Entra ID Authentication            │
│              (Preferred for applications)                │
└─────────────────────────────────────────────────────────┘

Secure Access Configuration

# Disable storage account key access (use Entra ID instead)
az storage account update \
    --name mystorageaccount \
    --resource-group myRG \
    --allow-shared-key-access false

# Enable infrastructure encryption (double encryption)
az storage account create \
    --name mystorageaccount \
    --resource-group myRG \
    --require-infrastructure-encryption

GCP Cloud Storage Security

IAM vs ACLs

GCP recommends Uniform bucket-level access (IAM only):

# Enable uniform bucket-level access
gcloud storage buckets update gs://my-bucket --uniform-bucket-level-access

# Verify IAM policy
gcloud storage buckets get-iam-policy gs://my-bucket

Secure Bucket Configuration

# Create bucket with security settings
gcloud storage buckets create gs://my-secure-bucket \
    --location=us-central1 \
    --uniform-bucket-level-access \
    --public-access-prevention=enforced

Storage Security Checklist

Control	AWS S3	Azure Blob	GCP Storage
Block public access	✓ Enable	✓ Private containers	✓ Public access prevention
Encryption at rest	✓ SSE-KMS	✓ CMK in Key Vault	✓ CMEK
Encryption in transit	✓ HTTPS only policy	✓ Require secure transfer	✓ Always encrypted
Access logging	✓ Server access logs	✓ Diagnostic settings	✓ Cloud Audit Logs
Versioning	✓ Enable	✓ Soft delete + versioning	✓ Object versioning
Lifecycle policies	✓ Transition to Glacier	✓ Move to cool/archive	✓ Nearline/Coldline

Next, we'll dive deep into encryption options for protecting data at rest and in transit. :::