Skip to the content.
AWS Developer Associate
S3 Encryption for Objects
- There are 4 methods of encrypting objects in S3
- SSE-S3: encrypt S3 objects using keys handled and managed by AWS
- SSE-KMS: use AWS KMS to manage encryption keys
- SSE-C: use KMS custom keys to encrypt data
- Client Side Encryption
SSE-KMS
- Allows to do server side encryption in S3, keys are handled and managed by KMS
- KMS: user control + audit trail
- In order to SSE-KMS to work, we must set the following header: x-amz=server-side-encryption”: “aws:kms”
SSE-KMS Deep Dive
- Under the hood SSE-KMS uses GenerateDataKey and Decrypt KMS API calls
- These KMS API calls will show up in CloudTrails, useful for logging and audit
- In order to be able to perform SS3-KMS, we need:
- A KMS key policy to authorize the user/role
- An IAM policy to authorize access to KMS
- S3 calls to KMS for SSE-KMS will count against our KMS limits
S3 Bucket Policies
Force SSL
- We can create an S3 bucket policy with a DENY condition of aws:SecurityTransport=false
- Note: using an allow on the same condition would allow anonymous GetObject if SSL is used
Force SSE-KMS Encryption
- Deny any incorrect encryption header: make sure it includes
aws:kms
- Deny no encryption header to ensure objects are not uploaded un-encrypted