DigitalOcean

Product Security Hardening Guides for Spaces

Table of Contents

  1. Ensure Access Control to Spaces are Set
  2. Create Access and Secret Keys
  3. Set Spaces Bucket Lifecycle Policy

Ensure Access Control to Spaces are Set

Spaces owners can create, destroy, and read all content in all the Spaces buckets for an account. They also make decisions and manage what everyone else can see. If an owner wants to allow one or more people to co-manage buckets, there are two options: access keys and DigitalOcean Teams.

Users who connect with access keys can create, destroy, read, and write to all of the buckets for the account. However, the privileges granted by Spaces access keys do not provide access to the control panel and do not extend to other DigitalOcean resources.

Teams, like Spaces access keys, allow members to create, manage, and destroy buckets associated with the Team account using the control panel’s web interface. Members can also create, delete, and regenerate access keys for buckets.

However, unlike Spaces access keys, Members of a Team can also access other Team resources, like Droplets, Firewalls, and more.

Rational Statement

Managing access to your DigitalOcean Space is important for:

  • Data Security - Unauthorized access can lead to data breaches, exposure of sensitive information, and potential manipulation or deletion of critical data.
  • Compliance Regulations - Many organizations are subject to regulations such as GDPR, HIPAA, or PCI-DSS, which require strict data protection controls and protocols.
  • Insider Threat Protection - Insider threats, either malicious or accidental, can be as dangerous as external attacks. Properly managing access helps mitigate the risks posed by insiders by ensuring that individuals only have access to the data and resources necessary for their job functions.

Impact Statement

Misconfigured permissions can either expose sensitive data or lock users out of the data they need to perform their jobs. Frequent changes in team structures or project scopes can exacerbate these risks as updates to access controls may not keep pace.

Remediation Procedure

Please follow the How to Manage Administrative Access to Spaces guide from DigitalOcean: https://docs.digitalocean.com/products/spaces/how-to/manage-access/

Back to the top

Create Access and Secret Keys

DigitalOcean Spaces is an object storage service, and it uses access and secret keys to control and manage access to data. Access and secret keys are used for authentication and authorization when accessing the Spaces service.

The access key is a public identifier for your account. It is used to identify the user making the request to the Space. The secret key is a private key associated with your access key. It should be kept confidential and secure. This key is used in conjunction with the access key to sign requests to the Spaces API, ensuring that the request is authorized.

Rational

Creating access and secret keys is important for the following reasons:

  • Security: Access and secret keys allow you to securely access your DigitalOcean Spaces. They function similarly to a username and password, ensuring that only authorized users and applications can access your data.
  • Authentication: These keys are used to authenticate your requests to the Spaces API. Without proper authentication, your requests will be denied, preventing unauthorized access.

Impact

Creating access and secret keys is generally beneficial, but there are some considerations to keep in mind. If access keys are hard-coded into applications or stored insecurely, they can be exposed through source code repositories, configuration files, or logs. This increases the risk of unauthorized access. Rotating or revoking keys without proper planning can lead to service disruptions. Applications or users relying on the old keys might lose access until updated keys are deployed.

Audit Procedure

  1. Sign in to your DigitalOcean account
  2. Navigate to the API section. This will lead you to a page called “Applications & API”
  3. Select the “Spaces Keys” tab.

This section will list all the keys you have generated to connect with third party clients or to access the Spaces API.

Remediation Procedure

  1. Sign in to your DigitalOcean account
  2. Navigate to the API section. This will lead you to a page called “Applications & API”
  3. Select the “Spaces Keys” tab. This section will list all the keys you have generated to connect with third party clients or to access the Spaces API.
  4. If no keys are listed, select “Generate New Key”.
  5. Name your key and click “Create Access Key”

The key will be listed under Spaces Access Keys. Immediately copy the secret key to a secure location as it will not be shown again.

Back to the top

Set Spaces Bucket Lifecycle Policy

A lifecycle configuration rule is a policy or rule set to manage the lifecycle of objects in a storage bucket. These rules automate the process of transitioning objects through different storage classes or deleting them after they are no longer needed. The objective is to optimize costs and manage data efficiently without manual intervention.

There are several cross-platform command-line tools available to tools for managing S3 and S3-compatible stores, but this example offers guidance on s3cmd. For more information refer to DigitalOcean’s Setting Up s3cmd 2.x with DigitalOcean Spaces reference.

Rational

Creating a lifecycle configuration rule is important for the following reasons:

  • Data management: Lifecycle rules automate the management process, ensuring that data is handled systematically according to predefined policies. This reduces the likelihood of human error and the administrative burden associated with manual data management.
  • Risk Mitigation: Proper data lifecycle management helps in mitigating risks associated with data breaches. By ensuring that data is only stored as long as necessary, lifecycle rules reduce the volume of sensitive data at risk.
  • Compliance: Many industries are governed by regulations that require data to be retained for certain periods and deleted thereafter. Lifecycle rules help ensure compliance with such regulations automatically, reducing the risk of costly legal or regulatory penalties.

Impact

A significant risk associated with lifecycle configuration rules is unintended data loss. For example, if the expiration period is set too short, data might be deleted before its utility has expired. Another potential risk is not aligning lifecycle rules with compliance and security policies. There can be risks of violating legal or regulatory requirements. For example, automatically deleting data that should have been retained for a longer period to comply with legal requirements can lead to penalties and legal issues.

A lifecycle rule that deletes a large amount of objects can take hours or days to finish running. During this process, you are still billed for any objects that have not been deleted yet. To delete objects faster, use the S3 DeleteObject or DeleteObjects commands: https://docs.digitalocean.com/products/spaces/reference/s3-compatibility/

Audit Procedure

  1. List your Spaces.
  1. s3cmd ls
  1. Get the lifecycle policy for your selected Space.
  1. s3cmd getlifecycle s3://selected-space

If no lifecycle configurations exist, the following message will be displayed

  1. ERROR: S3 error: 404 (NoSuchLifecycleConfiguration)

Remediation Procedure

Lifecycle rules can be used to perform different actions on objects in a Space over the course of their “life.” For example, a Space may be configured so that objects in it expire and are automatically deleted after a certain length of time. Lifecycle rules based on tagging are not supported.

  1. To configure new lifecycle rules, create an XML file in with your command line text editor, and enter the following script:

/tmp/lifecycle.xml

  1. <?xml version="1.0" ?>

  2. <LifecycleConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">

  3. <Rule>

  4. <ID>Keep Files For 365 Days</ID>

  5. <Prefix/>

  6. <Status>Enabled</Status>

  7. <Expiration>

  8. <Days>365</Days>

  9. </Expiration>

  10. </Rule>

  11. <Rule>

  12. <ID>Keep Incomplete MPU For 30 Days</ID>

  13. <Prefix/>

  14. <Status>Enabled</Status>

  15. <AbortIncompleteMultipartUpload>

  16. <DaysAfterInitiation>30</DaysAfterInitiation>

  17. </AbortIncompleteMultipartUpload>

  18. </Rule>

  19. </LifecycleConfiguration>

The time length for expiration and multipart upload are determined by your internal policy.

  1. Apply the lifecycle rule to the Space of your choice.
  1. s3cmd setlifecycle /tmp/lifecycle.xml s3://selected-space

The following script will display:

  1. s3://selected-space/: Lifecycle Policy updated

Back to the top

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.