Encryption in S3
Welcome to CloudAffaire and this is Debjeet
In the last blog post, we have discussed how to host a static website in S3.
In this blog post, we are going to discuss encryption in S3.
Encryption in S3:
To protect your data in S3, you can enable S3 encryption feature. By default, encryption is disabled in S3. You can use encryption for data in-transit using client-side encryption or data in-rest using server-side encryption.
In case of server-side encryption data are encrypted in-rest where AWS S3 encrypts your data before uploading them in their data center and also decrypt it when you request a download. There are three ways you can use server-side encryption
1. Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3):
Each object is encrypted with a unique key employing strong multi-factor encryption. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates.
2. Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS):
AWS KMS-Managed Keys encryption is similar to S3-Managed encryption with some additional features with associated charges. There are separate permissions for the use of an envelope key (that is, a key that protects your data’s encryption key) that provides added protection against unauthorized access of your objects in S3. SSE-KMS also provides you with an audit trail of when your key was used and by whom. You can also use your own encryption key with SSE-KMS.
3. Server-Side Encryption with Customer-Provided Keys (SSE-C):
You manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption when you access your objects.
If you also want to encrypt the data while its in-transit that is while moving from your device to AWS data center through the internet, you can use client-side encryption. In the case of client-side encryption, you manage the encryption process, the encryption keys, and related tools. AWS S3 provides multiple options for server-side encryption.
Next, we are going to enable encryption for an S3 bucket using the server-side S3-managed key.
Prerequisite for this demo:
- An S3 bucket.
Step 1: Login to AWS console and click ‘S3’ located under Storage.
Step 2: Click on the bucket name for which you want to enable encryption.
Step 3: Navigate to ‘Properties’ and click under ‘Default encryption’.
Step 4: Select ‘AES-256’ and click ‘Save’.
Note: You can enforce encryption using a bucket policy. We will cover more on this in later more advance blogs.
Server-side encryption successfully enabled in our bucket using SSE-S3.
You can check if encryption is working or not by uploading an object to your bucket.
To stop acquiring any cost, disable encryption and delete the bucket once the demo is completed.
Hope you have enjoyed this article, in the next blog post, we are going to discuss Inventory in S3.