S3 Encryption for Objects

  • Data encryption is the process of converting raw data into a coded form to help ensure that only authorized parties can read it.
  • Data protecting data while in transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers).
  • You can protect data in transit using Secure Socket Layer/Transport Layer Security (SSL/TLS) or client-side encryption. You have the following options for protecting data at rest in Amazon S3:

Server-Side Encryption — Request Amazon S3 to encrypt your object before saving it on disks in its data centers and then decrypt it when you download the objects.

There are 3 methods of encrypting objects in S3 with Ser

  1. SSE-S3: encrypts S3 objects using keys handled & managed by AWS
  2. SSE-KMS: leverage AWS Key Management Service to manage encryption keys
  3. SSE-C: when you want to manage your own encryption keys (Customer key)

Client-Side Encryption — Encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.

  • Server-side encryption protects data at rest.
  • Amazon S3 encrypts each object with a unique key.
  • The object is encrypted server-side with a 256-bit Advanced Encryption Standard (AES-256)
  • Must set header: “x-amz-server-side-encryption”: “AES256”

So let’s have a look above example.

  • We have an un-encrypted object and we want to upload it into Amazon S3 and perform some SSE-S3 encryption.
  • We’re going to upload the objects onto Amazon S3 using the HTTP protocol or the HTTPS protocol.
  • Using the S3 Managed Key and the object encryption will happen and be stored into your Amazon S3 buckets.
  • SSE-KMS: encryption using keys handled & managed by KMS
  • KMS Advantages: user control + audit trail
  • Object is encrypted server side
  • Must set header: “x-amz-server-side-encryption”: ”aws:kms”
  • We have the object we uploaded using HTTP/HTTPS and the header.
  • Using this header Amazon S3 knows to apply the KMS customer master key.
  • There’s some encryption that will happen and the file will be stored in your S3 buckets under the SSE-KMS encryption scheme.
  • SSE-C: server-side encryption using data keys fully managed by the customer outside of AWS
  • Amazon S3 does not store the encryption key you provide
  • HTTPS must be used
  • Encryption key must provided in HTTP headers, for every HTTP request made
  • We have the object and we want to have it encrypted in Amazon S3.
  • We send both of these things over HTTPS with an encrypted connection between you and and Amazon S3.
  • So therefore Amazon S3 received the exact same object and the client provided data key.
  • Then again, it is server-side encryption so Amazon S3 will perform at the encryption using these two things and store the encrypted object into your S3 buckets.
  • If you wanted retrieve that file from Amazon S3 using SSE-C you would need to provide same at clients’ side data key that was used to encrypt.
  • So it requires a lot more management on your end because you manage to do the data keys.
  • Client library such as the Amazon S3 Encryption Client.
  • Clients must encrypt data themselves before sending to S3.
  • Clients must decrypt data themselves when retrieving from S3.
  • Customer fully manages the keys and encryption cycle

So let’s have an example

  • Amazon S3 this time is just the buckets where it’s not doing any encryption for us because it is Client-Side Encryption not Server Side encryption.
  • So in the clients we’ll use Encryption SDK, will provide the object and our client’s side data key.
  • The encryption will happen client side so the object is going to be fully encrypted on the client side.
  • Then we are going to just upload that already encrypted object into Amazon S3.
  • Encryption in flight is also called SSL /TLS
  • Amazon S3 exposes HTTP endpoint: non encrypted and HTTPS endpoint: encryption in flight
  • You’re free to use the endpoint you want, but HTTPS is recommended
  • Most clients would use the HTTPS endpoint by default
  • HTTPS is mandatory for SSE-C.

Cloud and DevOps Enthusiast