Amazon S3 Security Best Practices: 3 Essential Steps Against Modern Ransomware Attacks

As organizations generate massive volumes of data across sprawling multicloud environments, traditional security tools struggle to keep pace. The rise of AI further complicates this landscape: AI systems require broad data access to function, yet this same access creates new attack vectors. The recent Codefinger ransomware attack, which exploited AWS’s native server-side encryption (SSE) features to lock users out of their own Amazon S3 data, underscores the urgent need for stronger cloud data security.

Here are three essential security best practices organizations can implement now to protect Amazon S3 buckets from modern ransomware threats like Codefinger:

1.Audit identities with SSE-C privileges

Start by auditing every human and machine identity with permissions to use SSE-C (Server-Side Encryption with Customer-Provided Keys). Compare each identity to a master list of authorized users, and immediately revoke access from inactive or unnecessary identities. Focus on the key permissions attackers could exploit—s3:GetObject and s3:PutObject—as these enable ransomware encryption operations.

Additionally, ensure identities with SSE-C permissions cannot disable object versioning, delete backups or logs, or modify logging configurations, which are critical safeguards against data destruction. Watch for these risky permissions:

• Deleting logs: s3:DeleteBucket, s3:DeleteObject
• Deleting backups: s3:DeleteObjectVersion, backup:DeleteRecoveryPoint
• Changing object versioning: s3:PutBucketVersioning
• Altering logging/audit settings: s3:PutBucketLogging, s3:GetBucketLogging, s3:PutBucketPolicy, s3:PutBucketAcl

This careful audit gives you precise visibility into who can access encryption keys and ensures no excessive privileges linger in your environment.

2.Enable logging for amazon S3 data events

Most organizations overlook that AWS CloudTrail does not log S3 GET and PUT operations by default, leaving major blind spots during security investigations. Enable CloudTrail Data Events or S3 Server Access Logs to capture detailed records of every object access.

• Cloudtrail data events: Provide granular logs of read/write operations but incur per-event costs—consider them for buckets with sensitive or low-volume changes.
• S3 server access logs: Generate logs at no additional cost (apart from storage), though they provide less detail than CloudTrail.

Whichever you choose, store logs in a secure, versioned bucket, ensuring you can restore files to their last known good state if a ransomware attack occurs.

3.Discover, classify, and prioritize data security risks

Protecting S3 data requires full knowledge of what you’re securing. Perform a comprehensive data discovery and classification across structured, semi-structured, and unstructured data stored in S3. This helps you identify and prioritize high-risk assets—focusing immediate efforts where potential impact is greatest.

Accurate classification also supports responsible AI adoption by controlling what data generative AI systems can access. This is essential, as AI systems inadvertently exposed to sensitive data during training or inference can create uncontrolled data leakage risks.

Why these security best practices matter

The Codefinger attack proved that attackers can exploit cloud-native features like SSE-C encryption for malicious ends, turning trusted security tools against organizations. Beyond ransomware, the explosion of AI adoption adds new risks—AI models require extensive data but can leak sensitive information unpredictably. Organizations that lack strict identity governance and data controls will struggle to secure both their data and AI systems.

Moreover, shifting regulatory landscapes—like evolving cybersecurity executive orders—mean organizations cannot wait for clarity. Proactively implementing strong identity management, encryption governance, and data classification today is the best way to secure your S3 environments and prepare your AI systems for future threats.

Conclusion

The challenges posed by modern ransomware and AI-driven data exposure require a proactive, risk-based approach to cloud security. By auditing SSE-C permissions, enabling robust logging, and comprehensively classifying data, organizations can build the resilient foundation needed to defend against sophisticated attacks—protecting both current assets and future AI investments.

Our services:

• Staffing: Contract, contract-to-hire, direct hire, remote global hiring, SOW projects, and managed services.
• Remote hiring: Hire full-time IT professionals from our India-based talent network.
• Custom software development: Web/Mobile Development, UI/UX Design, QA & Automation, API Integration, DevOps, and Product Development.

Our products:

• ZenBasket: A customizable ecommerce platform.
• Zenyo payroll: Automated payroll processing for India.
• Zenyo workforce: Streamlined HR and productivity tools.