Amazon S3 Security

Bucket and Object Encryption

Objects in S3 can be encrypted in 4 ways:

Server-Side Encryption(SSE)

  • SSE-S3: AWS manages the encryption keys. The client never gets access to this key. Enabled by default for buckets and objects. AES-256 encryption. How it works: user uploads an object with HPPS(S) + Header. AWS piers that object with their S3 owned key. This is then added to the bucket.
  • SSE-KMS: Uses AWS Key Management Service (KMS) for encryption that is owned by the client. This service allows for more control by the user. Key usage may be audited using CloudTrail. Object is encrypted server side. Must set header “x-amz-server-side-encryption”: “aws:kms”
  • When the user uploads the file, header is updated to add the KMS. KMS adds they key to the object to encrypt it and add it to the S3 bucket. The KMS key is also needed for downloads.
  • when files are uploaded, it calls the GenerateDataKey KMS API. These calls count towards the KMS quota per second. Depending on the Region, you have 5000 to 30,000 requests per second. However, requests can be increases using the service quota console
  • SSE-C: Server side encryption. Customer-provided encryption keys. AWS does not store the encryption keys that you provide. Must use HTTPS. Encryption must be passed in HTTP headers, for every HTTP request that is made.
  • User will upload the file as well as the key. The use manages the key outside of AWS. AWS uses the key and the object to encrypt and send it to the bucket. The key will be needed to download the file

Client Side Encryption

  • Encrypts data before uploading to S3. Keys are managed on client side. Uses Client-Side Encryption Library. Clients must encrypt data themselves before sending it to S3. To decrypt, client must first get the file and then decrypt on the client side. Therefore, the client fully manages the key and encryption cycle.
  • The client encrypts the file using their own key. That encrypted file is then uploaded tot he S3 bucket as an encrypted object. The client will have to download and decrypt the file on their own system.

    Encryption in Transit(SSL/TLS)

    1. Encryption in flight is also called SSL/TLS

    Amazon S3 Exposes 2 endpoints:

    • HTTP Endpoint– not encrypted
    • HTTPS Endpoint — encryption in flight

    HTTPS is recommended on AWS. If using SSE-C, HTTPS is mandatory

    Force Encryption in Transit

    • Ensure that all interactions with S3 use HTTPS by specifying the HTTPS endpoint in your applications and configurations.
    • Use bucket policies to enforce HTTPS access. When using HTTPS, scure transport must be set to true

    Example of enforcing HTTPS with a Bucket Policy

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    Scroll to Top