S3 Encryption

2 Types of encryption

  • In Transit
    • SSL/TLS
      • Transport Layer security is replacing SSL
      • HTTPS to upload and download
    • Uploading from PC and downloading to PC
  • At Rest
    • Server Side Encryption
      • S3 Managed Keys - SSE-S3
        • Each object is encrypted with its own key using strong multi factor encryption
        • Encrypt the key itself with the master key that is regulated by Amazon
      • AWS Key Management Service, Managed Keys, SSE-KMS
        • Get separate permission for the use of an additional key called the Envelope Key
          • Encrypts data’s encryption key
        • Audit Trail
          • Records use of encryption key
          • Get a view of encryption or decryption activity
        • Use own key or default key
      • Server side encryption with server provided keys
        • AWS manage the decryption and encryption, but you manage the keys
        • Rotating and life cycle of keys
  • Client Side Encryption
    • Encrypt before uploading to S3 yourself
    • Enforcing Encryption on S3 Buckets
      • Every time a file is uploaded, a PUT request is initiated
      • Expect: 100-continue
        • Tells S3 not to send request body until it receives an acknowledgement
        • S3 can reject based on the contents of the header
      • If the file is to be encrypted at upload time, the x-amz-server-side-encryption parameter will be included in the request header
      • Two options are currently available
        • X-amz-server-side-encryption: AES256 (SSE-S3 - S3 managed keys
        • X-amz-server-side-encryption: ams:kms (SSE-KMS - KMS managed keys)
      • When this parameter is included in the header of the PUT request, it tells S3 to encrypt the object at the time of upload, using the specified encryption method
      • You can enforce the use of server side encryption by using a Bucket Policy which denies any S3 PUT request which doesn’t include the x-amz-server-side-encryption parameter in the request header
      • The following request tells S3 to encrypt the file using SSE-S3 (AES 256) at the time of upload:

S3 Encryption Exam Tips

  • Encryption in Transit
    • SSL/TLS (HTTPS)
  • Encryption at rest
    • Server side encryption
      • SSE-S3
      • SSE-KMS
      • SSE-C
    • Client Side Encryption
  • If you want to enforce the use of encryption for your files stored in S3, use an S3 Bucket Policy to deny all PUT requests that don't include the x-amz-server-side-encryption parameter in the request header
  • Setup Encryption on an S3 bucket
    • 2 ways to enable encryption
      • On setup (console)
        • Check the default encryption box
        • Select AES 256 (S3) or AWS KMS (KMS managed keys)
          • Both server side
      • S3 bucket policy
    • If you see the “Action does not apply to any resource(s) in statement”, add wildcard
      • /*

Extras

  • Amazon S3 will reject any requests made over http when using SSE-C.
    • For security considerations, we recommend you consider any key you send erroneously using http to be compromised.
  • When using SSE-C, you MUST provide the following headers
    • x-amz-server-side-encryption-customer-algorithm
      • This header specifies the encryption algorithm.
      • The header value must be "AES256".
    • x-amz-server-side-encryption-customer-key
      • This header provides the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
    • x-amz-server-side-encryption-customer-key-MD5
      • This header provides the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321.
      • Amazon S3 uses this header for a message integrity check to ensure the encryption key was transmitted without error.