Amazon S3 Encryption Overview

• Server-Side Encryption (SSE) Methods:
  • SSE-S3: Encryption with Amazon S3-managed keys (AES-256).
    • This option does not provide the ability to audit trail the usage of the encryption keys.
  • SSE-KMS: Encryption with AWS Key Management Service (KMS) managed keys.
    • SSE-KMS provides an audit trail showing when your CMK was used and by whom.
  • SSE-C: Encryption with customer-provided keys.
    • This option does not provide the ability to audit trail the usage of the encryption keys.
    • you manage and provide your encryption keys to AWS S3 for each request to upload or access an encrypted object.
• Client-Side Encryption:
  • Data is encrypted on the client's side before being uploaded to S3.

Details of Each Encryption Method

• SSE-S3:
  • AWS manages the encryption key.
  • Default encryption for new buckets and objects.
  • Use header x-amz-server-side-encryption: AES256.
  • AWS S3 pairs the object with the S3-owned key for encryption.

• SSE-KMS:
  • Users manage their own keys via AWS KMS.
  • Auditing key usage is possible with AWS CloudTrail.
  • Use header x-amz-server-side-encryption: aws:kms.
  • Requires access to both the object and the KMS key for decryption.
  • Be aware of KMS API call quotas, which can be increased if needed.

• SSE-C:

  • Users manage and provide their own encryption keys.
  • Keys are not stored by AWS S3 and are discarded after use.
  • HTTPS must be used to transmit the key.
  • The client must provide the key with each request to encrypt or decrypt data.

  

• Client-Side Encryption:

  • Clients encrypt data before sending it to AWS S3.
  • Clients manage the encryption keys and process.
  • A client library, like the AWS Encryption SDK, can facilitate this.

Encryption in Transit (SSL/TLS)

• S3 provides both HTTP and HTTPS endpoints.
• HTTPS is recommended to secure data in transit.
• For SSE-C encryption, HTTPS must be used.
• Default client configurations usually use HTTPS.
• To enforce HTTPS, use a bucket policy that denies GetObject operations if aws:SecureTransport is false.

Bucket Policy Example

{
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

• This policy ensures that only HTTPS requests are allowed to GetObject from the bucket.

Conclusion