Hands-On Lab: Implementing AWS Data Security Controls

Welcome to this guided lab on determining and implementing appropriate data security controls in AWS. According to the AWS SAA-C03 objectives, effective data protection requires ensuring the confidentiality, integrity, and availability (the "CIA" triad) of your data.

In this lab, you will secure an S3 bucket containing sensitive data by creating a Customer Managed Key (CMK) in AWS Key Management Service (KMS), enforcing server-side encryption, blocking public access, and mandating in-transit encryption using bucket policies.

Prerequisites

Before starting this lab, ensure you have the following:

An active AWS Account with AdministratorAccess or permissions to manage S3 and KMS.
AWS CLI installed and configured (aws configure) with access keys and a default region.
A local text editor to create and modify policy files.
Basic understanding of the AWS Shared Responsibility Model.

Learning Objectives

By completing this lab, you will be able to:

Provision and manage symmetric encryption keys using AWS KMS.
Configure Amazon S3 to enforce server-side data encryption at rest.
Implement S3 Public Access Block to prevent accidental data exposure.
Author and apply S3 Bucket Policies to enforce TLS/SSL (in-transit encryption).

Architecture Overview

This lab implements a defense-in-depth strategy for object storage. Here is the flow of the security controls you will build:

Loading Diagram...

The security controls align directly with the foundational information security principles:

Loading Diagram...

Step-by-Step Instructions

Step 1: Create an AWS KMS Customer Managed Key (CMK)

We will create a specific encryption key managed by you (the customer) rather than relying solely on the default AWS-managed S3 key. This provides greater control over key rotation and access.

bash

aws kms create-key \
    --description "Lab Key for S3 Data Security" \
    --query 'KeyMetadata.KeyId' \
    --output text

[!TIP] Copy the output string (e.g., abcd-1234-5678-efgh). This is your <KEY_ID>. You will need it in later steps.

▶Console alternative

Navigate to the KMS Console.
Click Customer managed keys on the left menu, then Create key.
Choose Symmetric and click Next.
Give it an alias (e.g., lab-data-sec-key) and click Next.
Select your IAM user as the Key Administrator and Key User.
Review and click Finish.

Step 2: Create a Secure Amazon S3 Bucket

Create a globally unique S3 bucket to store your sensitive workload data.

bash

# Replace <UNIQUE_SUFFIX> with random numbers/letters (e.g., your initials and date)
aws s3api create-bucket \
    --bucket brainybee-lab-sec-bucket-<UNIQUE_SUFFIX> \
    --region us-east-1

▶Console alternative

Navigate to the S3 Console.
Click Create bucket.
Enter a unique bucket name brainybee-lab-sec-bucket-<UNIQUE_SUFFIX>.
Select your preferred region and click Create bucket.

Step 3: Enable Block Public Access

Ensure that no objects in this bucket can ever become public, regardless of individual object ACLs or future policies.

bash

aws s3api put-public-access-block \
    --bucket brainybee-lab-sec-bucket-<UNIQUE_SUFFIX> \
    --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

▶Console alternative

In the S3 Console, click on your new bucket.
Navigate to the Permissions tab.
Under Block public access (bucket settings), ensure it says On. (If off, click Edit, check "Block all public access", and Save).

Step 4: Configure Default Encryption with KMS

Force the bucket to automatically encrypt any uploaded objects using the CMK you created in Step 1.

bash

# Replace <UNIQUE_SUFFIX> with your bucket suffix and <KEY_ID> with your KMS Key ID
aws s3api put-bucket-encryption \
    --bucket brainybee-lab-sec-bucket-<UNIQUE_SUFFIX> \
    --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "<KEY_ID>"}, "BucketKeyEnabled": true}]}'

▶Console alternative

Go to your bucket in the S3 Console and click the Properties tab.
Scroll down to Default encryption and click Edit.
Choose Server-side encryption with AWS Key Management Service keys (SSE-KMS).
Select Choose from your AWS KMS keys and pick your lab key.
Enable Bucket Key and click Save changes.

Step 5: Enforce Encryption in Transit via Bucket Policy

To protect against eavesdropping, we will mandate that all requests to the bucket use HTTPS (TLS). We do this by denying any request where aws:SecureTransport is false.

Create a local file named bucket-policy.json:

json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EnforceTLS",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::brainybee-lab-sec-bucket-<UNIQUE_SUFFIX>",
        "arn:aws:s3:::brainybee-lab-sec-bucket-<UNIQUE_SUFFIX>/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

Apply the policy using the CLI:

bash

aws s3api put-bucket-policy \
    --bucket brainybee-lab-sec-bucket-<UNIQUE_SUFFIX> \
    --policy file://bucket-policy.json

▶Console alternative

Go to your bucket's Permissions tab.
Scroll down to Bucket policy and click Edit.
Paste the JSON above (remembering to replace <UNIQUE_SUFFIX> with your actual bucket name).
Click Save changes.

Checkpoints

Let's verify that our data security controls are active and functioning correctly.

Checkpoint 1: Verify Encryption Settings Check that default encryption is applied to the bucket.

bash

aws s3api get-bucket-encryption --bucket brainybee-lab-sec-bucket-<UNIQUE_SUFFIX>

Expected result: The output should display SSEAlgorithm as aws:kms and list your <KEY_ID>.

Checkpoint 2: Test File Upload Create a test file and upload it. Because you are using the AWS CLI, it uses HTTPS by default, which complies with our SecureTransport policy.

bash

echo "This is highly sensitive data" > secret.txt
aws s3 cp secret.txt s3://brainybee-lab-sec-bucket-<UNIQUE_SUFFIX>/

Expected result: upload: ./secret.txt to s3://brainybee-lab-sec-bucket-<UNIQUE_SUFFIX>/secret.txt

Clean-Up / Teardown

[!WARNING] Remember to run the teardown commands to avoid ongoing charges. While S3 storage costs for a few KB are negligible, KMS keys incur a $1/month charge if left active.

Execute the following commands to destroy the resources provisioned in this lab:

bash

# 1. Delete the object(s) inside the bucket
aws s3 rm s3://brainybee-lab-sec-bucket-<UNIQUE_SUFFIX> --recursive

# 2. Delete the S3 bucket
aws s3api delete-bucket --bucket brainybee-lab-sec-bucket-<UNIQUE_SUFFIX>

# 3. Schedule the KMS Key for deletion (minimum 7-day waiting period)
aws kms schedule-key-deletion \
    --key-id <KEY_ID> \
    --pending-window-in-days 7

Troubleshooting

Common Error	Possible Cause	Solution
`BucketAlreadyExists`	Bucket names must be globally unique across all AWS accounts.	Choose a different, more random `<UNIQUE_SUFFIX>` and try again.
`AccessDenied` when putting bucket policy	The user role executing the CLI does not have IAM permissions to alter bucket policies.	Ensure your CLI user has `s3:PutBucketPolicy` permissions (AdministratorAccess covers this).
`AccessDenied` on upload	Your IAM user lacks KMS `Encrypt` permissions for the newly created key.	If you created the key as the same user, it should work by default. Verify the `KeyId` matches perfectly.
`MalformedPolicy`	A syntax error in `bucket-policy.json`.	Check for missing commas, unclosed brackets, or forgetting to replace `<UNIQUE_SUFFIX>` with the actual bucket name in the JSON ARNs.