Storage & Data Security
Cloud Storage Security Fundamentals
4 min read
Cloud storage services are the most common source of data breaches. With 31% of S3 buckets publicly accessible and 46% potentially misconfigured, storage security requires immediate attention.
The Storage Breach Epidemic
Storage misconfigurations have caused some of the largest data exposures:
| Incident | Year | Records Exposed | Root Cause |
|---|---|---|---|
| Capital One | 2019 | 100+ million | SSRF + S3 access |
| 2019 | 540 million | Public S3 buckets | |
| Football Australia | 2024 | 127 containers | Misconfigured S3 |
Key statistics:
- 31% of S3 buckets are publicly accessible (Qualys)
- 46% of S3 buckets could be misconfigured and unsafe
- Storage misconfigurations are the #1 cause of cloud data exposure
Storage Services Comparison
| Feature | AWS S3 | Azure Blob | GCP Cloud Storage |
|---|---|---|---|
| Default access | Private (since 2023) | Private | Private |
| Encryption at rest | SSE-S3, SSE-KMS, SSE-C | Microsoft-managed, CMK | Google-managed, CMEK |
| Access control | Bucket policies, ACLs, IAM | RBAC, SAS tokens, ACLs | IAM, ACLs |
| Versioning | Supported | Soft delete, versioning | Object versioning |
| Logging | Server access logging | Diagnostic logs | Cloud Audit Logs |
AWS S3 Security Deep Dive
Access Control Layers
S3 has multiple, overlapping access control mechanisms:
┌─────────────────────────────────────────────────────────┐
│ Block Public Access │
│ (Account-level and bucket-level override) │
├─────────────────────────────────────────────────────────┤
│ Bucket Policy │
│ (Resource-based permissions) │
├─────────────────────────────────────────────────────────┤
│ IAM Policies │
│ (Identity-based permissions) │
├─────────────────────────────────────────────────────────┤
│ ACLs │
│ (Legacy, avoid for new buckets) │
└─────────────────────────────────────────────────────────┘
Block Public Access Settings
The most important S3 security feature (enabled by default since 2023):
# Check block public access settings
aws s3api get-public-access-block --bucket my-bucket
# Enable all block public access settings (CIS recommended)
aws s3api put-public-access-block --bucket my-bucket \
--public-access-block-configuration \
BlockPublicAcls=true,\
IgnorePublicAcls=true,\
BlockPublicPolicy=true,\
RestrictPublicBuckets=true
Secure Bucket Policy Example
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyInsecureTransport",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "RequireEncryption",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
Azure Blob Storage Security
Access Control Options
┌─────────────────────────────────────────────────────────┐
│ Azure RBAC │
│ (Management plane + data plane access) │
├─────────────────────────────────────────────────────────┤
│ Access Keys │
│ (Full account access - avoid in production) │
├─────────────────────────────────────────────────────────┤
│ Shared Access Signatures (SAS) │
│ (Time-limited, scoped access tokens) │
├─────────────────────────────────────────────────────────┤
│ Microsoft Entra ID Authentication │
│ (Preferred for applications) │
└─────────────────────────────────────────────────────────┘
Secure Access Configuration
# Disable storage account key access (use Entra ID instead)
az storage account update \
--name mystorageaccount \
--resource-group myRG \
--allow-shared-key-access false
# Enable infrastructure encryption (double encryption)
az storage account create \
--name mystorageaccount \
--resource-group myRG \
--require-infrastructure-encryption
GCP Cloud Storage Security
IAM vs ACLs
GCP recommends Uniform bucket-level access (IAM only):
# Enable uniform bucket-level access
gcloud storage buckets update gs://my-bucket --uniform-bucket-level-access
# Verify IAM policy
gcloud storage buckets get-iam-policy gs://my-bucket
Secure Bucket Configuration
# Create bucket with security settings
gcloud storage buckets create gs://my-secure-bucket \
--location=us-central1 \
--uniform-bucket-level-access \
--public-access-prevention=enforced
Storage Security Checklist
| Control | AWS S3 | Azure Blob | GCP Storage |
|---|---|---|---|
| Block public access | ✓ Enable | ✓ Private containers | ✓ Public access prevention |
| Encryption at rest | ✓ SSE-KMS | ✓ CMK in Key Vault | ✓ CMEK |
| Encryption in transit | ✓ HTTPS only policy | ✓ Require secure transfer | ✓ Always encrypted |
| Access logging | ✓ Server access logs | ✓ Diagnostic settings | ✓ Cloud Audit Logs |
| Versioning | ✓ Enable | ✓ Soft delete + versioning | ✓ Object versioning |
| Lifecycle policies | ✓ Transition to Glacier | ✓ Move to cool/archive | ✓ Nearline/Coldline |
Next, we'll dive deep into encryption options for protecting data at rest and in transit. :::