Skip to content

Cloud Storage Security — S3, Blob Storage & GCS Bucket Security Guide

DodaTech Updated 2026-06-24 5 min read

In this tutorial, you'll learn about Cloud Storage Security. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloud storage security protects object storage services like AWS S3, Azure Blob Storage, and GCP Cloud Storage through bucket policies, public access blocking, encryption, versioning, access logging, and cross-region Replication with immutable backups.

What You Will Learn

How to secure cloud storage buckets across all three providers, prevent public access, enforce encryption, enable access logging, and configure immutable backups.

Why It Matters

Misconfigured storage buckets are the leading cause of cloud data exposure. Nearly half of all cloud breaches involve publicly accessible storage. Every bucket needs consistent security controls.

Real-World Use

DodaTech's data lake uses AWS S3 with S3 Block Public Access enabled at the account level, SSE-KMS encryption with automatic key rotation, S3 Versioning, and Object Lock for immutability. S3 access logs are shipped to a separate security account.

Storage Security Controls

flowchart TD
  Bucket["Storage Bucket\nS3 / Blob / GCS"] --> Access["Access Control\nBucket Policy / IAM / ACL"]
  Bucket --> Public[Public Access Block\nDeny All Public Access]
  Bucket --> Encrypt["Encryption\nSSE-KMS / AES-256"]
  Bucket --> Version[Versioning\nObject Version History]
  Bucket --> Lock[Object Lock\nWrite-Once-Read-Many]
  Bucket --> Logging[Access Logging\nAll Requests Logged]
  Bucket --> Replication[Cross-Region Replication\nDisaster Recovery]
  
  style Access fill:#f90,color:#fff
  style Public fill:#e00,color:#fff

AWS S3 Security

S3 offers the most comprehensive security controls of any cloud storage service. Enable Block Public Access at the account level and never rely on bucket policies alone.

# Block all public access at the account level
aws s3control put-public-access-block \
  --account-id 123456789012 \
  --public-access-block-configuration \
    BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

# Enable default encryption on a bucket
aws s3api put-bucket-encryption \
  --bucket my-secure-bucket \
  --server-side-encryption-configuration '{
    "Rules": [{
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "aws:kms",
        "KMSMasterKeyID": "alias/s3-key]
      }
    }]
  }'

# Enable versioning
aws s3api put-bucket-versioning \
  --bucket my-secure-bucket \
  --versioning-configuration Status=Enabled

# Enable Object Lock for immutability
aws s3api put-object-lock-configuration \
  --bucket my-secure-bucket \
  --object-lock-configuration '{
    "ObjectLockEnabled": "Enabled",
    "Rule": {
      "DefaultRetention": {
        "Mode": "GOVERNANCE",
        "Days": 365
      }
    }
  }'

# Enable server access logging
aws s3api put-bucket-logging \
  --bucket my-secure-bucket \
  --bucket-logging-status '{
    "LoggingEnabled": {
      "TargetBucket": "my-log-bucket",
      "TargetPrefix": "s3-access-logs/"
    }
  }'

# Configure cross-region replication
aws s3api put-bucket-replication \
  --bucket my-secure-bucket \
  --replication-configuration '{
    "Role": "arn:aws:iam::123456789012:role/s3-replication-role",
    "Rules": [{
      "Status": "Enabled",
      "Destination": {
        "Bucket": "arn:aws:s3:::my-backup-bucket-us-west-2",
        "StorageClass": "STANDARD_IA]
      }
    }]
  }'

# Audit bucket policies
aws s3api get-bucket-policy-status --bucket my-secure-bucket
# Output:
# {
#   "PolicyStatus": {"IsPublic": false}
# }

Azure Blob Storage Security

Azure Blob Storage provides public access control through the "Allow Blob Public Access" setting at the account level.

# Create a storage account with public access disabled
az storage account create \
  --name prodsecurestorage \
  --resource-group prod-rg \
  --allow-blob-public-access false \
  --min-tls-version TLS1_2 \
  --default-action Deny \
  --bypass AzureServices

# Enable infrastructure encryption (double encryption)
az storage account update \
  --name prodsecurestorage \
  --resource-group prod-rg \
  --require-infrastructure-encryption true

# Enable soft delete for blobs
az storage blob service-properties delete-policy update \
  --account-name prodsecurestorage \
  --enable true \
  --days-retained 90

# Enable versioning
az storage account blob-service-properties update \
  --account-name prodsecurestorage \
  --enable-versioning true

az storage account show \
  --name prodsecurestorage \
  --query "{PublicAccess:allowBlobPublicAccess, MinTLS:minimumTlsVersion, Versioning:isVersioningEnabled}" \
  --output table
# Output:
# PublicAccess  MinTLS  Versioning
# False         TLS1_2  True

GCP Cloud Storage Security

GCP Cloud Storage uses uniform bucket-level access to simplify policy management.

# Create a bucket with uniform access control and encryption
gcloud storage buckets create gs://my-secure-bucket \
  --location us-central1 \
  --uniform-bucket-level-access \
  --default-storage-class STANDARD \
  --public-access-prevention \
  --soft-delete-duration 7d

# Enable object versioning
gcloud storage buckets update gs://my-secure-bucket --versioning

# Set a bucket policy requiring IAM authentication
gcloud storage buckets add-iam-policy-binding gs://my-secure-bucket \
  --member "serviceAccount:app-sa@my-project.iam.gserviceaccount.com" \
  --role "roles/storage.objectViewer"

# Enable audit logging
gcloud storage buckets update gs://my-secure-bucket \
  --logging-bucket gs://my-log-bucket \
  --logging-prefix storage-logs

gcloud storage buckets describe gs://my-secure-bucket \
  --format="table(name, location, publicAccessPrevention, versioning.enabled)"
# Output:
# name: my-secure-bucket
# location: us-central1
# publicAccessPrevention: enforced
# versioning.enabled: true

Least-Privilege Access

Never use bucket-wide ACLs. Use IAM policies with specific actions and conditions. For cross-account access, use bucket policies with explicit conditions.

Common Mistakes

  1. Publicly accessible buckets: Always enable Block Public Access at the account level. Individual bucket policies can override public access controls.
  2. No encryption on storage: Buckets without default encryption store data in plaintext. Enable SSE-KMS or AES-256 encryption on every bucket.
  3. No versioning: Without versioning, accidental deletions and ransomware attacks permanently destroy data. Enable versioning and Object Lock.
  4. No access logging: Without access logs, you cannot audit who accessed what. Enable server access logs to a separate account.
  5. No cross-region Replication: Data in a single region is vulnerable to region-wide outages. Replicate to a secondary region for disaster recovery.

Practice Questions

  1. What is the difference between S3 Block Public Access and a bucket policy?
  2. How does Azure Blob Storage infrastructure encryption work?
  3. What is uniform bucket-level access in GCP Cloud Storage?
  4. Why should versioning be enabled on all storage buckets?
  5. How does cross-region Replication protect against data loss?

Challenge

Secure a Multi-Cloud storage architecture. Create an S3 bucket with Block Public Access, SSE-KMS encryption, versioning, Object Lock with 1-year retention, and cross-region Replication to a second region. Create an equivalent GCS bucket with uniform access control, public access prevention, versioning, and soft delete. Create an Azure Blob Storage account with public access blocked, infrastructure encryption, and versioning. Write CLI commands to create and verify each configuration.

FAQ

How do I prevent public access to S3 buckets?

Enable S3 Block Public Access at the account level and configure bucket policies with explicit denies on public access.

What encryption options does Azure Blob Storage support?

Azure supports Azure Storage Service Encryption (SSE) with Microsoft-managed keys, customer-managed keys in Key Vault, and infrastructure encryption for double encryption at rest.

Does GCP Cloud Storage support Object Lock?

Yes. GCP supports retention policies and holds that prevent object deletion or modification for a specified period.

What is the purpose of S3 Object Lock?

Object Lock enforces a write-once-read-many (WORM) model that prevents objects from being deleted or overwritten for a defined retention period.

How does storage cross-region Replication work?

Replication automatically copies objects to a bucket in another region, providing geographic redundancy for disaster recovery.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro