AWS S3
Object-level data protection for the world's most trusted cloud storage infrastructure
Amazon S3 is the object storage standard. Before "cloud-native" was a design principle, S3 defined what scalable, durable, programmatic object storage looks like — and it became the API that every storage provider since has emulated. Today, S3 runs the data infrastructure for enterprises, defense agencies, and government programs worldwide, delivering eleven nines of durability, automatic storage tiering, and cross-region replication for resilience. For organizations that have built their data infrastructure on AWS, S3 is not a component they're evaluating — it's the foundation they're extending.
AWS S3 + Virtru Data Security Platform
Identity and Access Management controls who can call S3 APIs, which accounts can access which buckets, and what operations users are permitted to perform. But IAM's jurisdiction ends at the S3 API endpoint. The moment an object is retrieved — downloaded to a workstation, shared with a contractor, replicated to another region or account — the data travels beyond IAM's reach. The Virtru Data Security Platform closes that gap. Each object is TDF-encrypted with an embedded ABAC policy at write time, delivering cryptographic, per-object governance that persists wherever the data moves — across regions, accounts, or outside AWS entirely.
This eliminates the bucket proliferation that organizations create to approximate access control. Without object-level governance, teams stand up separate buckets per project, sensitivity tier, or access group — each compounding policy management, access reviews, and operational overhead. With the Data Security Platform, a single S3 bucket holds objects with entirely different governance profiles. Multiple users can share the same bucket, however, actions on the objects are strictly limited to each individual's current data entitlements, enforced by the data itself.
S3's replication capabilities make the case concrete. Cross-Region Replication is a standard resilience pattern, but when data lands in a secondary region or account, new bucket policies must be applied and maintained separately — and governance inevitably drifts. With TDF-encrypted objects, every replica enforces the same entitlements as the source, in any region, under any account, with no separate policy management required. With the Data Security Platform's proxy capabilities for S3, applications continue reading and writing data with no application logic rewrite required.
How It Works
- Upload - Files are written to S3 through existing application workflows. The platform's secure object connector operates as a transparent S3-compatible proxy — no application code changes required.
- Encrypt - The platform's secure object connector wraps each object in TDF at write time, embedding access policy attributes. The encrypted object is stored in S3. The Key Access Service (KAS) holds the wrapped key.
- Access request - When a user or service retrieves an object, the KAS evaluates the requester's current entitlements against the embedded policy in real time.
- Authorize or deny - If the policy is satisfied, the KAS returns the key and the object is decrypted for the requester. If not — or if access has been revoked — the request is denied. The encrypted object remains in S3 unchanged.
- Audit - Every access attempt — authorized or denied — is logged with the requester identity, timestamp, and policy decision, creating the evidence chain compliance programs require.
- Eleven nines of data durability (99.999999999%) across replicated, distributed storage built for long-lived enterprise and government workloads
- Flexible storage classes — S3 Standard, Intelligent-Tiering, Glacier, and Deep Archive — automatically optimize cost based on access frequency without manual data migration
- Cross-Region and Same-Region Replication (CRR/SRR) for resilience, compliance data residency requirements, and multi-account data distribution
- Native AWS ecosystem integration with Athena, Glue, SageMaker, GuardDuty, Macie, Lake Formation, and the full AWS analytics and security stack
- Versioning and Object Lock for immutable storage, ransomware protection, and compliance retention enforcement (WORM)
- AWS GovCloud (US) availability for FedRAMP High, ITAR, and CJIS workloads requiring data sovereignty and elevated regulatory compliance
- AWS Marketplace availability for streamlined procurement and consolidated billing within existing AWS accounts
- Object-level data governance when paired with the Virtru Data Security Platform — attribute-based access policies applied per object, not just at the bucket level
Protecting data stored in AWS S3 with the Virtru Data Security Platform requires an active AWS account, a Virtru Data Security Platform deployment, and an identity provider to supply the user and environmental attributes that drive access decisions.
- Active AWS account with S3 enabled (all storage classes supported; AWS Free Tier supports limited S3 usage; Standard pricing for production workloads)
- Virtru Data Security Platform deployment (SaaS, customer VPC, on-premises, or hybrid)
- AWS IAM credentials with appropriate S3 permissions for the target buckets
- Compatible OIDC/OAuth2 identity provider (e.g., Okta, Microsoft Entra ID, Ping Identity, or AWS IAM Identity Center) for ABAC attribute sourcing
- Network connectivity between the Virtru Data Security Platform deployment and S3 API endpoints
Security: AWS S3 and the Virtru Data Security Platform operate at complementary layers of the security stack. AWS encrypts data at rest using SSE-S3, SSE-KMS, or SSE-C and in transit via TLS, with infrastructure-level access controls through IAM and bucket policies. The Virtru Data Security Platform adds a data-centric layer: object-level TDF encryption with ABAC policy enforcement that persists beyond the S3 boundary. AWS secures the infrastructure; Virtru secures the data regardless of where it moves after retrieval.
Compliance: AWS holds FedRAMP High authorization (including in AWS GovCloud), SOC 2 Type II, ISO 27001, PCI DSS, HIPAA eligibility, and ITAR-compliant regions. The Virtru Data Security Platform holds FedRAMP Moderate authorization. Virtru is also listed in the AWS Intelligence Community Marketplace (ICMP), reflecting the security requirements of the most sensitive federal and defense programs. Together, they support regulated environments from commercial compliance to IC and DoD workloads. TDF-wrapped objects maintain their own audit trail of access attempts and policy decisions, providing the evidence chain compliance programs require.
Privacy: TDF encryption ensures objects stored in S3 remain cryptographically protected at rest — AWS infrastructure cannot decrypt the contents. Only users whose attributes satisfy the object's ABAC policy can access the plaintext. The Virtru Data Security Platform manages key exchange and policy evaluation without exposing decryption keys to the storage layer.
Book a Demo
Become a Partner
Contact us to learn more about our partnership opportunities.
Become a Compliance Champion
Contact us to learn more about our partnership opportunities.