How to encrypt an Object in s3 – Explained

Its important to understand the security of data in a state of transit and at rest for better understanding the encryption. Generally data is secure in transit when it sends from source to destination using TLS. As one-time keys are used for that transmission medium only and no-body retains the keys. So it helps to keep the data secure.

However, for data at rest you need to think about different encryption types for your object for long/mid term storage. There are different types of encryption available to protect your data in cloud.

Different Types of Encryption

Client-side encryption In this encryption users encrypt their data with their own key.

Server-side encryption with Amazon s3 Manged Keys (SSE-s3) – In this encryption user does not hold any keys to encrypt the data. However, s3 server-side encryption uses 256-bit block cipher (AES-256) to encrypt your data. Each object in s3 is stored with an unique key and s3 encrypt the key using its master key.

Server-side encryption with Customer Master Keys (SSE-KMS) – This encryption type is quite similar to SSE-s3 with some additional protection mechanism. As it manages the Audit trail and shows when your CMK was used and by whom.

Server-side encryption with Customer-Provided Keys With this encryption, you could manage the encryption keys whereas amazon s3 would manage the encryption when it writes it to disk and decrypt it when you access the object.

AWS s3 provides an option to an user to set default encryption on a bucket to encrypt all objects when they are stored in the bucket. By default, the encryption type is None when an object is stored in s3 without opting any other encryption types. However, you could encrypt an object using either server side encryption with AWS s3-master Keys (AES-256) or using AWS KMS-Managed Keys (AWS-KMS).

You need to enable default encryption for your bucket to store object within it with different encryption types.

Encrypt an Object in s3

We would describe about default encryption and other encryption types we could opt for the objects in s3.

1. Sign into AWS Console (link) and open s3 service

2. Select your bucket and go to properties

3. Select Default encryption

By default, the encryption is disabled by AWS.

Now if you directly upload an object from s3 UI, the encryption type would show you as None

Server-side encryption with Amazon s3 Manged Keys (SSE-s3)

1. Select your bucket and go to Properties and click on Default Encryption

2. Select AES-256 and Save it

Amazon s3 says, even if you enable bucket encryption settings, the PUT request without encryption would be rejected if your bucket policies to reject such PUT requests. We would explain this in a separate topic.

3. Upload an Object and verify the encryption type

Server-side encryption with Customer Master Keys (SSE-KMS)

1. Select your bucket and go to Properties and click on Default Encryption

2. Select AWS-KMS and Save it

It would ask for KMS keys. By default, you could select aws/s3. Otherwise you could use your Custom KMS ARN

3. Upload an Object and verify the encryption type

Now you could add different encryption types to your objects in s3.

Please comment below if you have any questions/concerns related to this blog.

Leave a Reply

%d bloggers like this: