* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Posture Security](https://www2.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/)
* How to Prevent a Data Bre...

# How to Prevent a Data Breach in Cloud Storage

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fhow-to-prevent-a-data-breach-in-cloud-storage%2F)  
[](https://twitter.com/share?text=How+to+Prevent+a+Data+Breach+in+Cloud+Storage&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fhow-to-prevent-a-data-breach-in-cloud-storage%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fhow-to-prevent-a-data-breach-in-cloud-storage%2F&title=How+to+Prevent+a+Data+Breach+in+Cloud+Storage&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/how-to-prevent-a-data-breach-in-cloud-storage/&ts=markdown)  
\[\](mailto:?subject=How to Prevent a Data Breach in Cloud Storage)  
Link copied  
By [Pradeep Biradar](https://www.paloaltonetworks.com/blog/author/pradeep-biradar/?ts=markdown "Posts by Pradeep Biradar")  
Feb 11, 2021  
5 minutes  
[Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)  
[AWS S3](https://www.paloaltonetworks.com/blog/tag/aws-s3/?ts=markdown)

Cloud storage is one of the most prevalent [platform-as-a-service (PaaS)](https://www.paloaltonetworks.com/cyberpedia/what-is-pass) solutions to experience breaches. Given how common these breaches are, it demonstrates how users often fail to effectively manage security for these services. In this article, I will highlight some of the most important actions users can take today to prevent a [data breach](https://www.paloaltonetworks.com/cyberpedia/data-breach) in cloud storage on Amazon Simple Storage Service (S3).

## **Mitigations**

### **Use a Comprehensive CSPM Tool**

Changes in public cloud infrastructure are constant; it's just the nature of these environments. So it's essential to have a [Cloud Security Posture Management](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-security-posture-management) (CSPM) tool that continuously monitors your cloud services, assess their security posture and takes action on misconfigurations before they can be exploited. Also, there should be a team auditing your infrastructure changes on a regular basis.

### **Stay Up To Date With Recent Security Features**

Cloud vendors often enhance their services' security features either by introducing new features or [deprecating old features](https://www.paloaltonetworks.com/blog/prisma-cloud/kubernetes-psp-deprecation/). Users should be aware of the latest changes and ensure their infrastructure is always current.

### **Amazon S3 Block Public Access**

AWS has introduced a new security feature called '[Block Public Access](https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/)', which works at the account level as well as the bucket level. With this feature you can block existing and future public access at the account level itself; if any storage is not intended to be public you can place the data in one of these separate accounts.

### **Properly Define ACLs and Bucket Policies**

Ensure that your Amazon S3 buckets use the correct [access control lists](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl_overview.html) (ACLs) and bucket policies so they are not publicly accessible. Implementing least privilege access is fundamental in reducing security risk and the impact that could result from errors or malicious intent.

### **Use S3 Access Points or** **VPC Endpoints for Amazon S3 Access**

Amazon S3 provides functionality for creating and managing access points. As access points have a set of defined restrictions, you can use if your data is shared among VPC users and avoid including [sensitive information](https://www.paloaltonetworks.com/cyberpedia/sensitive-data) in the access point name. A VPC endpoint for Amazon S3 will provide a logical entity within a VPC that allows connectivity only to Amazon S3. You can prevent data exfiltration by using a VPC that does not have an internet gateway.

### **Enable MFA Delete**

Multi-factor authentication (MFA) Delete can help prevent accidental bucket deletions. If MFA Delete is not enabled, any user with the password of a sufficiently privileged root or [IAM](https://www.paloaltonetworks.com/cyberpedia/what-is-identity-and-access-management) user could permanently delete an Amazon S3 object.

### **Enforce Data Encryption**

On the server side, Amazon S3 encrypts your object before saving it on disks in its data centers, and then decrypts it when you download the objects. Encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys and related tools. Use HTTPS (TLS) using the SecureTransport condition on Amazon S3 bucket policies to prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks.

### **Use IAM Roles for Applications and AWS Services That Require S3 Access**

Applications on Amazon Elastic Compute Cloud (EC2) or other AWS services must include valid AWS credentials in their AWS API requests to access S3 resources. Instead of storing credentials in the application or EC2 instance, you should use an [IAM role](https://www.paloaltonetworks.com/blog/2020/10/cloud-iam-misconfiguration-risks/) to manage temporary credentials for applications or services that need to access. The role supplies temporary permissions that applications can use when they make calls to other AWS resources. The IAM role assigned should have restrictive access.

### **Implement S3 Object Lock and Versioning**

S3 Object Lock enables you to store objects using a "Write Once Read Many" (WORM) model. S3 Object Lock can help prevent accidental or inappropriate deletion of data. Versioning enables multiple variants of an object in the same bucket and you can easily recover from both unintended user actions and application failures.

### **Implement Built-in Logging and Monitoring Tools**

Logging provides detailed records of the requests that are made to a bucket. Monitoring is an important part of maintaining the reliability, security, availability and performance of your S3 and other AWS solutions. AWS provides CloudTrial for logging and CloudWatch for monitoring purposes.

### **Consider Private Storage**

Private storage can be used to hold sensitive data that will reside apart from public storage. This storage is always private and cannot be accessed over the internet. Accessing private storage is done through an API wrapped with security controls.

### **Avoid Human Errors**

To avoid unintentional human errors, follow [best practices checklists](https://www.paloaltonetworks.com/blog/prisma-cloud/guide-protect-aws-s3/). Whoever has access to sensitive data should be limited and authenticated with multiple factors like MFA devices. Separating the production environments would clearly highlight the differences between public and private storage, and help you prevent accidental exposure of data through S3.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/protect-from-data-breaches-1.png)  
[![Checklist for protecting your data from cloud storage breaches.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/protect-from-data-breaches-1.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/protect-from-data-breaches-1.png)

Checklist for protecting your data from cloud storage breaches.

## **Conclusion**

When it comes to security, cloud service providers offer a number of tools and controls. But users often leave gaps in the security controls, and therefore leave these services they use exposed to breaches. Even if unintentional, the cost of a data breach can exceed millions of dollars.

Getting started with the right [CSPM tool](https://docs.paloaltonetworks.com/prisma/prisma-cloud.html) will improve your security stance and reduce your risks and provide you protection against such [breaches](https://www.paloaltonetworks.com/cyberpedia/data-breach).

*** ** * ** ***

## Related Blogs

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown)

[#### New Capabilities Scan for Sensitive and Publicly Exposed Data](https://www2.paloaltonetworks.com/blog/cloud-security/scan-sensitive-and-publicly-exposed-data/)

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)

[#### How Prisma Cloud Data Security Helps Prevent Storage Breaches](https://www2.paloaltonetworks.com/blog/cloud-security/prisma-cloud-data-security-helps-prevent-storage-breaches/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown)

[#### 5 Common Causes for Cloud Storage Breaches](https://www2.paloaltonetworks.com/blog/cloud-security/causes-cloud-storage-breaches/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud ASM](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-asm/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [CSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/cspm/?ts=markdown)

[#### Cloud Attack Surface Management: See What Other CNAPPs Miss](https://www2.paloaltonetworks.com/blog/cloud-security/closing-cloud-gap-attack-surface-management/)

### [CIEM](https://www.paloaltonetworks.com/blog/cloud-security/category/ciem-2/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown), [DSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/dspm/?ts=markdown)

[#### Weak Identity Governance Leads to Data Exposure --- 3 Attack Paths Explained](https://www2.paloaltonetworks.com/blog/cloud-security/identity-goverance-data-exposure/)

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Compliance](https://www.paloaltonetworks.com/blog/cloud-security/category/compliance/?ts=markdown)

[#### Stay Ahead of Cyberthreats: Prisma Cloud and the Essential Eight Framework](https://www2.paloaltonetworks.com/blog/cloud-security/essential-eight-cybersecurity-framework/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language