AWS S3
From storage for the internet to the data foundation for AI and analytics, Amazon S3 scales and evolves with your ambition
Amazon S3 is the object storage standard. Before "cloud-native" was a design principle, S3 defined what scalable, durable, programmatic object storage looks like — and it became the API that every storage provider since has emulated. Today, S3 runs beneath the data infrastructure of enterprises, defense agencies, and government programs worldwide, holding everything from mission-critical datasets to compliance archives to production application assets.
S3's durability and reach are built in. Eleven nines of durability. Storage classes that tier data automatically based on access patterns. Cross-region and cross-account replication for resilience. Native integration with the full AWS analytics and security ecosystem — Athena and Glue for data transformation, SageMaker for machine learning, GuardDuty and Macie for threat detection. For organizations that have built their data infrastructure on AWS, S3 is not a component they're evaluating — it's the foundation they're extending.
When paired with the Virtru Data Security Platform, AWS S3 becomes a governed, object-level data protection environment — not just a storage layer. Each object is TDF-encrypted with embedded ABAC policy at write time, so protection persists through every cross-region replica, every external share, and every access attempt that happens after the object leaves the S3 boundary. Organizations running sensitive workloads on S3 — from defense contractors managing CUI to financial institutions distributing M&A documents — gain cryptographic, per-object governance that IAM alone cannot provide, without modifying the applications, pipelines, or workflows that depend on S3 today.
Key Capabilities
- Eleven nines of data durability (99.999999999%) across replicated, distributed storage built for long-lived enterprise and government workloads
- Flexible storage classes — S3 Standard, Intelligent-Tiering, Glacier, and Deep Archive — automatically optimize cost based on access frequency without manual data migration
- Cross-Region and Same-Region Replication (CRR/SRR) for resilience, compliance data residency requirements, and multi-account data distribution
- Native AWS ecosystem integration with Athena, Glue, SageMaker, GuardDuty, Macie, Lake Formation, and the full AWS analytics and security stack
- Versioning and Object Lock for immutable storage, ransomware protection, and compliance retention enforcement (WORM)
- AWS GovCloud (US) availability for FedRAMP High, ITAR, and CJIS workloads requiring data sovereignty and elevated regulatory compliance
- AWS Marketplace availability for streamlined procurement and consolidated billing within existing AWS accounts
- Object-level data governance when paired with the Virtru Data Security Platform — attribute-based access policies applied per object, not just at the bucket level
Better Together
Identity and Access Management controls who can call S3 APIs, which accounts can access which buckets, and what operations users are permitted to perform — reliably, at scale, across the full AWS ecosystem. The moment an object is retrieved — downloaded to a workstation, shared with a contractor, replicated to another region or account — IAM's jurisdiction ends. The protection boundary is the S3 API endpoint. The file travels unprotected.
This creates the bucket proliferation problem. Without object-level governance, organizations create buckets to approximate access control: one per team, per project, per sensitivity tier. Each bucket compounds operational overhead — separate policies, separate access reviews, separate cost tracking, inevitable drift. With the Virtru Data Security Platform, a single S3 bucket holds objects with entirely different governance profiles. A compliance analyst and a product engineer can share the same bucket; each sees only the objects their current entitlements authorize, enforced by the data itself — not by which bucket it landed in.
S3's replication capabilities make the data-layer gap concrete. Cross-Region Replication is a standard resilience pattern — but when data replicates to a secondary region or a different account, it lands outside the source bucket's policy scope. New bucket policies must be applied manually. Governance drifts between the original and the copy. With Virtru TDF, replication doesn't create a governance gap. The policy travels with the object. Every replica enforces the same entitlements as the source, in any region, under any account, without separate policy management for each destination.
Protecting data stored in AWS S3 with the Virtru Data Security Platform requires an active AWS account, a Virtru Data Security Platform deployment, and an identity provider to supply the user and environmental attributes that drive access decisions.
- Active AWS account with S3 enabled (all storage classes supported; AWS Free Tier supports limited S3 usage; Standard pricing for production workloads)
- Virtru Data Security Platform deployment (SaaS, customer VPC, on-premises, or hybrid)
- AWS IAM credentials with appropriate S3 permissions for the target buckets
- Compatible OIDC/OAuth2 identity provider (e.g., Okta, Microsoft Entra ID, Ping Identity, or AWS IAM Identity Center) for ABAC attribute sourcing
- Network connectivity between the Virtru Data Security Platform deployment and S3 API endpoints
- Optional: AWS CloudHSM integration with Virtru Private Keystore for organizations requiring hardware-backed key management within their own AWS infrastructure
Security: AWS S3 and the Virtru Data Security Platform operate at complementary layers of the security stack. AWS encrypts data at rest using SSE-S3, SSE-KMS, or SSE-C and in transit via TLS, with infrastructure-level access controls through IAM and bucket policies. The Virtru Data Security Platform adds a data-centric layer: object-level TDF encryption with ABAC policy enforcement that persists beyond the S3 boundary. AWS secures the infrastructure; Virtru secures the data regardless of where it moves after retrieval.
Compliance: AWS holds FedRAMP High authorization (including in AWS GovCloud), SOC 2 Type II, ISO 27001, PCI DSS, HIPAA eligibility, and ITAR-compliant regions. The Virtru Data Security Platform holds FedRAMP Moderate authorization, SOC 2 Type II, and PCI DSS compliance certifications. Virtru is also listed in the AWS Intelligence Community Marketplace (ICMP), reflecting the security requirements of the most sensitive federal and defense programs. Together, they support regulated environments from commercial compliance to IC and DoD workloads. TDF-wrapped objects maintain their own audit trail of access attempts and policy decisions, providing the evidence chain compliance programs require.
Privacy: TDF encryption ensures objects stored in S3 remain cryptographically protected at rest — AWS infrastructure cannot decrypt the contents. Only users whose attributes satisfy the object's ABAC policy can access the plaintext. The Virtru Data Security Platform manages key exchange and policy evaluation without exposing decryption keys to the storage layer. For organizations with strict data sovereignty requirements, Virtru Private Keystore with AWS CloudHSM keeps cryptographic operations entirely within customer-controlled infrastructure — no Virtru-managed keys, no third-party key escrow. Data sovereignty stays with the data owner, not the storage provider.
Book a Demo
Become a Partner
Contact us to learn more about our partnership opportunities.