Introduction of Amazon S3 Encryption

2021.07.30

Introduction

we use Amazon simple storage service (S3) for storing backups document data images and other information in cloud. and there is very high chance of data leaks if we do not secure our buckets properly.one of the few things we can do is encryption.

S3 Encryption for Objects

  • There are 4 methods of encrypting objects in S3
  • SSE-S3: encrypts S3 objects using keys handled & managed by AWS
  • SSE-KMS: leverage AWS Key Management Service to manage encryption keys
  • SSE-C: when you want to manage your own encryption keys
  • Client Side Encryption
  • It’s important to understand which ones are adapted to which situation.

SSE-S3

  • SSE-S3: encryption using keys handled & managed by Amazon S3 • Object is encrypted server side
  • AES-256 encryption type
  • Must set header: “x-amz-server-side-encryption": "AES256"

SSE-KMS

  • SSE-KMS: encryption using keys handled & managed by KMS
  • KMS Advantages: user control + audit trail
  • Object is encrypted server side
  • Must set header: “x-amz-server-side-encryption": ”aws:kms"

SSE-C

  • SSE-C: server-side encryption using data keys fully managed by the customer outside of AWS • Amazon S3 does not store  the encryption key you provide
  • HTTPS must be used
  • Encryption key must provided in HTTP headers, for every HTTP request made

Client Side Encryption

  • Client library such as the Amazon S3 Encryption Client
  • Clients must encrypt data themselves before sending to S3
  • Clients must decrypt data themselves when retrieving from S3 • Customer fully manages the keys and encryption cycle

 

Encryption in transit (SSL/TLS)

  • Amazon S3 exposes:
  • HTTP endpoint: non encrypted
  • HTTPS endpoint: encryption in flight
  • You’re free to use the endpoint you want, but HTTPS is recommended • Most clients would use the HTTPS endpoint by default
  • HTTPS is mandatory for SSE-C
  • Encryption in flight is also called SSL /TLS

Steps to do encryption

encrypted one at a time in the Amazon S3 console.

  1. Sign into the AWS Management Console.
  2. Navigate to the S3 console and find the bucket and object that was flagged as unencrypted.
  3. Select the object and choose Properties then Encryption.
  4. Use the wizard to choose the S3 encryption options you prefer.
  5. Save to apply encryption to the object.

For in depth steps check AWS Documentation

 

Reasources