Encryption

  • 4 types of Encryption is available
  • SSE-S3
    • Server side encryption handled by AWS (S3)
    • Data key is managed by S3
    • Use AES-256 algorithm
    • Header should be x-amz-server-side-encryption: AES-256
    • Completely free
  • SSE-KMS
    • Server side encryption
    • Key is managed by KMS
    • Header should be x-amz-server-side-encryption: aws:kms
    • KMS create a S3 Bucket Key, later it is used to create a lot of data keys
    • These data keys are used to encrypt files in S3
    • Useful because
    • Using KMS, we can determine who has access keys
    • Audit Trail
    • Using the bucket key can reduce 99% of KMS call
  • SSE-C
    • Server side encryption
    • Key is provided by us
    • S3 does not store the key
    • To use
    • Must be use HTTPS
    • Every time we pass the Encryption Key using HTTP Header as x-amz-server-side-encryption-customer-key
    • Every time we pass the Algorithm Name using HTTP Header as x-amz-server-side-encryption-customer-algorithm
    • Every time we pass the MD5 Key using HTTP Header as x-amz-server-side-encryption-customer-key-md5
    • HMAC (Hash based Message Authentication Code) is a salted version of encryption keys
    • AWS generate and store the HMAC to validate the encryption and decryption key
    • HMAC is only for validate the original key, can not be used to encrypt or decrypt the object
    • Since in SSE-C, the key is managed by the client, if the key is lost, all the data will also be lost
  • Client Side Encryption
    • We encrypt the object before uploading
    • We decrypt object after retrieving from the S3
    • To encrypt and decrypt object in client we can use
    • S3 Encryption Client
    • Or other tools
  • Encryption in Transit
  • Also known as SSL/TLS
  • S3 exposes both
    • HTTP
    • HTTPS
  • Default Encryption
  • We can use Bucket Level Default Encryption
  • So any object uploaded to the bucket will be automatically encrypted, even though the we do not pass appropriate header
  • Default encryption only accepts
    • SSE-S3
    • SSE-KMS
  • It does not accept SSE-C and Client Side Encryption as Default Encryption
  • Bucket Policy evaluated before the Default Encryption
  • Bucket Policy is the old way of Default Encryption
  • Example of in house key management for S3
  • Create customer managed CMK
  • Encrypt data with the CMK
  • Store encrypted data and data key in S3
  • Delete the data keys
  • For decrypt, use CMK to decrypt data key
  • Now delete the data using the Decrypted data key