Understanding Amazon S3 Encryption

all aws amazon s3 aws kms aws security aws storage s3 security Jan 31, 2024

Introduction

Understanding the encryption options available in Amazon S3 is crucial for maintaining the confidentiality and integrity of our data in S3. This blog post dives into the various encryption options provided by S3, explores when and how to use them, and discusses the special considerations for S3 replication with encryption.

Types of Encryption

  1. Encryption at rest
    1. When data is stored in S3.
    2. Further divided into:
      1. Server-side encryption: Encryption happens on the server, which is on S3.
      2. Client-side encryption: Encryption happens on the client side; the server always has the data encrypted and does not encrypt or decrypt.
  2. Encryption at transit 
    1. When data travel between the client and S3
    2. It is also called encryption in flight
    3. This can be done by using the HTTPS endpoints that, in turn, rely on the SSL/TLS protocols.

Types of Server-Side Encryption (SSE) for Encryption at Rest

1. SSE-S3 (Amazon S3-Managed Keys):

  • How it works: Amazon S3 manages the encryption process and the keys used to encrypt our data. Each object is encrypted with a unique key, and as an additional safeguard, it uses a master key that is regularly rotated. Need to set the header "x-amz-server-side-encryption": "AES256".
  • Use when: We want a hands-off encryption approach, relying on Amazon to automatically handle key management and encryption.
  • Special considerations: This is the default encryption method for all S3 buckets, applying AES-256 encryption standards without requiring user management of encryption keys​. 

2. SSE-KMS (AWS Key Management Service):

  • How it works: Uses AWS KMS for key management, offering additional security features like key rotation and centralized management. Provides enhanced control over the encryption keys, including audit logs, using CloudTrail. We must set the header "x-amz-server-side-encryption": "aws:kms".
  • Use when: We need detailed audit trails, key management, and additional security controls over our encryption keys.
  • Special considerations: SSE-KMS may incur additional costs due to the need to make API calls to AWS KMS (e.g. GenerateDataKey API, Decrypt API). It will also be subject to the KMS limits and quotas, and there could be throttling in the case of S3 buckets with a lot of data and access. We need access to the S3 bucket as well as the KMS key. Unlike SSE-S3, even if objects are made public, it cannot be read without the key. 

3. SSE-C (Customer-Provided Keys):

  • How it works: Customers manage and provide their encryption keys to AWS for encrypting data. AWS encrypts data as it writes it to disks and decrypts it when we access it, but it does not store the encryption keys.
  • Use when: We need to manage our keys directly, ensuring that only we have access to these keys.
  • Special considerations: The responsibility of key security and management falls entirely on us, and AWS will not store these keys.

Client-Side Encryption for Encryption at Rest

  • How it works: Data is encrypted on the client side before uploading to S3 and decrypted after downloading from S3, thus managing both the encryption process and the keys. Can leverage libraries like the Amazon S3 Client-Side Encryption Library for encryption purposes.
  • Use when: We require complete control over the encryption process and keys.
  • Special considerations: This method requires us to secure the encryption process and the keys.

Considerations for S3 Replication With Encryption

Replicating data across different S3 buckets or AWS Regions ensures data availability and durability. However, encryption adds a layer of complexity to S3 replication. Here are key considerations:

  • Default Replication Behavior: Unencrypted objects and those encrypted with SSE-S3 are replicated by default.
  • SSE-C Encrypted Objects: This can be replicated but requires the user to manage and provide the encryption keys for both source and target objects.
  • SSE-KMS Encrypted Objects: Replication for SSE-KMS encrypted objects requires specific configurations:
    • Enable replication for SSE-KMS encrypted objects.
    • Specify the KMS Key for encrypting the objects in the target bucket.
    • Adapt the KMS Key Policy for the target and source keys to include permissions for kms:Decrypt for the source KMS Key and kms:Encrypt for the target KMS Key.
    • Be aware of potential KMS throttling errors, which can be mitigated by requesting a Service Quotas increase if necessary.
    • Multi-region AWS KMS Keys are treated as independent keys by Amazon S3, meaning the object will be decrypted and then re-encrypted during replication.

Special note on Glacier Encryption

S3 Glacier ensures data security by automatically encrypting data at rest using the 256-bit Advanced Encryption Standard (AES-256), with AWS managing and regularly rotating the encryption keys for enhanced protection. Users preferring personal key management can opt for client-side encryption before data storage.

For data in transit, SSL encryption safeguards data moving to and from Glacier. Additionally, when using Amazon S3 for lifecycle transitions to Glacier, SSL encryption also secures data during the transition process.

Best Practices and Recommendations

  1. Assess Data Sensitivity: Evaluate the sensitivity of our data to determine the most appropriate encryption method.
  2. Select the Right Encryption Option: Choose between server-side and client-side encryption based on our security needs and capability to manage encryption keys.
  3. Implement Robust Access Controls: Regardless of the encryption method, ensure we have strong access controls in place.
  4. Regularly Rotate Encryption Keys: Especially for SSE-KMS and client-side encryption, regularly rotate keys to enhance security.
  5. Monitor and Audit Encryption Configurations: Regularly check your S3 encryption settings and configurations to ensure they meet your security requirements.

Additional Notes and Considerations

  1. Default Encryption: Since January 5, 2023, Amazon S3 has enabled default server-side encryption with SSE-S3 for all buckets, ensuring every new object uploaded is encrypted at rest using AES-256. But we can change it.
  2. Force Encryption for Data at Rest: We can force encryption at rest with a bucket policy, requiring PUT requests for S3 objects to include encryption headers—x-amz-server-side-encryption with values AES256 for SSE-S3, aws:kms for SSE-KMS, or use customer-provided keys (SSE-C) for direct control.
  3. Force Encryption for Data at Transit: The aws:SecureTransport condition in the bucket policy can be used to force encryption during transit.
  4. Bucket policies vs. Default Encryption: Bucket policies in Amazon S3 are evaluated before applying default encryption settings. Therefore, bucket policies can enforce stricter rules, such as requiring specific encryption headers and overriding the bucket's default encryption configuration.
  5. S3 Bucket Key: The S3 Bucket Key feature is a new setting within the Amazon S3 service designed to dramatically reduce the number of API calls made to KMS for encryption and decryption activities by 99%. When we enable the S3 Bucket Key for an S3 bucket, a unique key is generated specifically for that bucket. This key is then used to encrypt the data keys that encrypt our objects, instead of directly using the KMS master key for each object. Read more at cloudericks.com/blog/understanding-s3-bucket-key-for-sse-kms-encryption.
  6. Large file upload S3 with KMS key: Uploading a large file to Amazon S3 with KMS encryption involves breaking the file into smaller parts using S3's multi-part upload feature. Each part is encrypted with a unique data key provided by AWS KMS making use of the kms:GenerateDataKey permission. Upon completing the upload, S3 uses the kms:Decrypt permission to decrypt and reassemble the parts, then re-encrypts the entire file with the specified KMS key for secure storage.
  7. S3 Batch Operations for Object Encryption: To bulk encrypt unencrypted S3 objects, we can use S3 Batch Operations, which allows for large-scale modifications across our S3 storage. Start with an S3 Inventory report to identify objects and their encryption status, then filter for unencrypted items using S3 Select or Athena. When setting up the S3 Batch Operations job for encryption, ensure it's configured with SSE-KMS, specifying the AWS KMS key ID for encryption. Crucially, the job must have permission to access both the S3 bucket containing the objects and the KMS key used for encryption.

Conclusion

Amazon S3's encryption and replication features provide flexible and robust solutions for securing and managing data in the cloud. By understanding these features and implementing best practices, businesses can significantly enhance the security and availability of their data. Whether opting for server-side or client-side encryption or managing the intricacies of S3 replication, it's essential to assess your data's sensitivity, choose the right encryption strategy, and consider the replication requirements to ensure your data remains secure and accessible.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.