S3 Encryption

Object Encryption

Managed with Amazon S3-Managed Keys (SSE-S3) enabled by default.
- Enryption is AES-256.
- Can request this encryption by adding "x-amz-server-side-encryption" : "AES256" in request.
- This would encrypt the object using Amazon S3 owned key. This key is not accessible.
- Enabled by default for new objects and buckets.
Managed with KMS Keys stored in AWS KMS (SSE-KMS).
- Should have header "x-amz-server-side-encryption" : "aws:kms" to request this encryption.
- This would encrypt the object using KMS key stored in AWS.
- This gives user control over key and audit trail provides access details of the key.
- This encryption has limitation related to KMS API calls quota limits.
Managed with customer provided Keys (SSE-C).
- Must use HTTPS for this mode of encryption to work.
- AWS does not store the key.
- Key should be passed in HTTPS header.
- Can only be enabled using APIs or command line.
Dual Layer Server side encryption with AWS KMS (DSSE-KMS).

Client must use some library such as Amazon S3 client-side Encryption Library.
Client must encrypt and decrypt the object at client side before sending and after receiving respectively.

One can use a bucket policy to enforce S3 objects be accessed only using a SSE encryption policy.
Bucket policies are always evaluated before default encryption settings.
On changing the encryption setting of the bucket, new version of object is created with new last-modified date.
By default S3 Service has a KMS Key created, no charge is levied in this case.

AWS S3 exposes two endpoints
- HTTP endpoint
- HTTPS endpoint
HTTPS endpoint is recommended and provides in-flight request encryption.
One can use a bucket policy to enforce S3 objects be accessed using HTTPS endpoint (in-flight encryption condition).

Last updated 2 months ago

Object Encryption

Server-Side Encryption (SSE).

Managed with Amazon S3-Managed Keys (SSE-S3) enabled by default.

Enryption is AES-256.
Can request this encryption by adding "x-amz-server-side-encryption" : "AES256" in request.
This would encrypt the object using Amazon S3 owned key. This key is not accessible.
Enabled by default for new objects and buckets.

Managed with KMS Keys stored in AWS KMS (SSE-KMS).

Should have header "x-amz-server-side-encryption" : "aws:kms" to request this encryption.
This would encrypt the object using KMS key stored in AWS.
This gives user control over key and audit trail provides access details of the key.
This encryption has limitation related to KMS API calls quota limits.

Managed with customer provided Keys (SSE-C).

Dual Layer Server side encryption with AWS KMS (DSSE-KMS).

Client-Side Encryption

Client must use some library such as Amazon S3 client-side Encryption Library.

Client must encrypt and decrypt the object at client side before sending and after receiving respectively.

One can use a bucket policy to enforce S3 objects be accessed only using a SSE encryption policy.

Bucket policies are always evaluated before default encryption settings.

On changing the encryption setting of the bucket, new version of object is created with new last-modified date.

By default S3 Service has a KMS Key created, no charge is levied in this case.

Encryption in Transit (SSL/TLS)

AWS S3 exposes two endpoints

HTTPS endpoint is recommended and provides in-flight request encryption.

One can use a bucket policy to enforce S3 objects be accessed using HTTPS endpoint (in-flight encryption condition).

Sample policy example, which enforces in-flight encryption when GET request to an object is made for a bucket.