Welcome to S3 Guard
S3 Guard is an s3-compatible proxy enhancing data privacy when using s3-compatible storage services.
We provide the following features:
- 🔒 Access policies based on Open Policy Agent (opens in a new tab)
- 📝 Purpose dependent data transformations
- 🪟 Transparency through integrated logging
- 📑 Policy management through CLI
- 🧩 Easily adaptable due to S3-compatibility
S3 Guard was developed as a research project at the Technical University of Berlin (opens in a new tab) as part of the privacy engineering course by Dr.-Ing. Frank Pallas.
Architecture
S3 Guard sits between your application and your s3-compatible storage service. It intercepts all requests and applies the configured policies to the data. The policies are written in rego (opens in a new tab) and can be easily adapted to your needs. We extended the rego language with a few custom functions that can be explored under the transformer section, allowing easy to use purpose dependent data transformations. Further we also provide a CLI to easily manage your policies, as well as a logging service integrated in the proxy.
Why is it useful?
Data privacy is a big topic in the modern world. With the rise of cloud computing, more and more data is stored in the cloud. This data is often sensitive and needs to be protected. S3 Guard allows you to easily protect your data by applying policies to it. The GDPR states that data access should be limited to the minimum necessary. S3 Guard allows you to do exactly that. You can define policies that only allow access to the data that is needed for a specific purpose. Using our abstraction, you can transform the data to only contain the necessary information. We implemented for example faceblur (opens in a new tab), a very simple server that can blur faces in images. More transformers are planned.