Identify How to Ensure Data Integrity

Data integrity is the maintenance of, and the assurance of

over its entire life-cycle.

A data store’s classification must consider confidentiality, availability, and integrity as a baseline for data security.

Amazon S3, by default, provides object metadata for every object including:

The AWS Cloud Adoption Framework (AWS CAF) covers five key capabilities:

AWS Identity and Access Management (IAM): Define, enforce, and audit user permissions across AWS services, actions, and resources.
Detective control: Improve your security posture, reduce the risk profile of your environment, and gain the visibility you need to spot issues before they impact your business.
Infrastructure security: Reduce the surface area of the infrastructure you manage and increase the privacy and control of your overall infrastructure on AWS.
Data protection: Implement appropriate safeguards that help protect data in transit and at rest by using natively integrated encrypted services.
Incident response: Define and execute a response to security incidents.as a guide for security planning.

The following security best practices also address data protection in Amazon S3:

Implement server-side encryption
Enforce encryption of data in transit
Consider using Amazon Macie with Amazon S3
Identify and audit all your Amazon S3 buckets
Monitor AWS security advisories
Implement least privilege access
Use IAM roles for applications and AWS services that require Amazon S3 access
Enable multi-factor authentication (MFA) Delete
Consider encryption of data at rest
Enforce encryption of data in transit – Allow only encrypted connections over HTTPS (TLS) using the aws:SecureTransport condition on Amazon S3 bucket policies.
Consider Amazon S3 Object Lock – Amazon S3 Object Lock enables you to store objects using a “Write Once Read Many” (WORM) model.
Consider VPC endpoints for Amazon S3 access

Security Monitoring and Auditing Guidelines