S3 Encryption

Object Encryption

Managed with Amazon S3-Managed Keys (SSE-S3) enabled by default.
- Enryption is AES-256.
- Can request this encryption by adding "x-amz-server-side-encryption" : "AES256" in request.
- This would encrypt the object using Amazon S3 owned key. This key is not accessible.
- Enabled by default for new objects and buckets.
Managed with KMS Keys stored in AWS KMS (SSE-KMS).
- Should have header "x-amz-server-side-encryption" : "aws:kms" to request this encryption.
- This would encrypt the object using KMS key stored in AWS.
- This gives user control over key and audit trail provides access details of the key.
- This encryption has limitation related to KMS API calls quota limits.
Managed with customer provided Keys (SSE-C).
- Must use HTTPS for this mode of encryption to work.
- AWS does not store the key.
- Key should be passed in HTTPS header.
- Can only be enabled using APIs or command line.
Dual Layer Server side encryption with AWS KMS (DSSE-KMS).

Client must use some library such as Amazon S3 client-side Encryption Library.
Client must encrypt and decrypt the object at client side before sending and after receiving respectively.

One can use a bucket policy to enforce S3 objects be accessed only using a SSE encryption policy.
Bucket policies are always evaluated before default encryption settings.
On changing the encryption setting of the bucket, new version of object is created with new last-modified date.
By default S3 Service has a KMS Key created, no charge is levied in this case.

AWS S3 exposes two endpoints
- HTTP endpoint
- HTTPS endpoint
HTTPS endpoint is recommended and provides in-flight request encryption.
One can use a bucket policy to enforce S3 objects be accessed using HTTPS endpoint (in-flight encryption condition).
- Sample policy example, which enforces in-flight encryption when GET request to an object is made for a bucket.

Last updated 5 months ago