📃
AWS SAA-C02
  • Practice Test Scores
  • Basics of IAM
  • Elastic Compute Cloud (EC2)
    • Overview
    • Security Groups
    • IP Addresses
    • User Data
    • Launch Types
    • Spot Instances
    • Instance Types
    • Amazon Machine Image (AMI)
    • Placement Groups
    • Elastic Network Interface (ENI)
    • Hibernate
  • Elastic Load Balancer (ELB)
    • Basic Terms
    • Elastic Load Balancing
    • Classic Load Balancer (CLB)
    • Application Load Balancer (ALB)
    • Network Load Balancer (NLB)
    • Stickiness
    • Cross Zone Load Balancing
    • SSL Certificates
    • Connection Draining/Deregistration Delay
  • Auto Scaling Groups (ASG)
    • Launch Configurations & Launch Templates
    • Overview
    • Dynamic Scaling and Scheduled Scaling
    • Lifecycle Hooks
    • Scaling Cooldowns
  • EC2 Storage (EBS, EFS, Instance Store)
    • Elastic Block Storage (EBS)
    • EBS Volume Types
    • EBS Snapshots
    • EBS Volume Migration
    • EBS Volume Encryption
    • EBS RAID configurations
    • Instance Store
    • Elastic File System (EFS)
    • EFS vs EBS
  • Relational Database Service (RDS)
    • RDS Overview
    • Running Databases on EC2
    • RDS Backups & RDS Restores
    • RDS Read Replicas
    • RDS Multi AZ
    • RDS Encryption
    • RDS IAM database authentication
    • Aurora
    • ElastiCache
  • Route53
    • Overview
    • DNS Record Types
    • Routing Policies
    • 3rd Party Domains
  • Simple Storage Service (S3)
    • S3
    • Server-Side Encryption
    • S3 Security
    • Pre-signed URLs
    • S3 Websites
    • Cross-origin resource sharing (CORS)
    • Consistency Model
  • Advanced S3 & Athena
    • MFA Delete
    • Access Logs
    • Replication
    • Storage Classes
    • Lifecycle Configuration
    • Performance Optimization
    • Select and Glacier Select
    • Event Notifications
    • Object Lock and Glacier Lock
    • Athena Overview
  • CloudFront & Global Accelerator
    • CloudFront Overview
    • CloudFront Signed URL / Signed Cookies
    • Global Accelerator
  • Storage Gateway & FSx & Snowball/Snowmobile
    • Storage Gateway Overview
    • Storage Gateway File Gateway Hardware Appliance
    • FSx for Windows Servers
    • FSx for Lustre
    • Storage Comparison
    • Snowball/Snowmobile Overview
  • AWS Messaging
  • Simple Queue Service (SQS)
    • Overview
    • Message Visibility Timeout
    • Dead Letter Queues
    • Delay Queues
    • FIFO Queues
    • SQS + Auto Scaling Group
  • Simple Notification Service (SNS)
    • Overview
    • SNS & SQS - Fan Out Pattern
  • Kinesis + MQ
    • Kinesis
    • Amazon MQ
  • Serverless
    • Lamda Overview
    • Lambda@Edge
    • DynamoDB Overview
    • DynamoDB RCUs and WCUs
    • DynamoDB Advanced Features
    • API Gateway Overview
    • API Gateway Security
    • Cognito Overview
    • AWS SAM (Serverless Application Model)
  • Databases & Analytics
    • Databases
    • Analytics
  • Monitoring
    • CloudWatch Concepts
    • CloudWatch Logs
    • CloudWatch Agent
    • EC2 Instance Recovery
    • CloudWatch Events
    • CloudTrail
    • Config
  • Mini Security Lesson
    • IAM Policies
    • Authorization
    • IAM Conditions
    • IAM for S3 Resources
    • IAM Permission Boundaries
  • Security & Management
    • Security Token Service (STS)
    • Identity Federation in AWS
    • Directory Service
    • Organizations
    • Resource Access Manager (RAM)
    • Single Sign On (SSO)
  • Security & Encryption
    • Encryption Overview
    • KMS Overview
    • SSM Parameter Store Overview
    • Secrets Manager Overview
    • CloudHSM
    • Shield
    • Web Application Firewall (WAF) Overview
  • Virtual Private Cloud (VPC)
    • Networking for VPCs
    • Default VPC Overview
    • VPC Overview
    • VPC Subnets
    • Internet Gateways & Route Tables
    • NAT Instances
    • NAT Gateways
    • DNS support in your VPC
    • NACLs vs Security Groups
    • VPC Peering
    • VPC Endpoints
    • VPC Flow Logs
    • Bastion Hosts
    • Site to Site VPN
    • Direct Connect
    • Egress-only Internet Gateway
    • AWS PrivateLink
    • AWS ClassicLink
    • VPN CloudHub
    • Transit Gateway
  • Disaster Recovery & Migrations
    • Plan for Disaster Recovery
    • Database Migration Service (DMS)
    • Migration Services
    • DataSync Overview
  • Other Services
    • Overview of Other Services
Powered by GitBook
On this page
  • Server-side encryption with Amazon S3-managed encryption keys (SSE-S3)
  • Server-side encryption using AWS KMS CMKs (SSE-KMS)
  • Server-Side Encryption with Customer-Provided Keys (SSE-C)

Was this helpful?

  1. Simple Storage Service (S3)

Server-Side Encryption

  • Server-side encryption is the encryption of data at its destination by the application or service that receives it.

  • S3 encrypts your data at the object level as it writes it to disks in its data centres and decrypts it for you when you access it.

  • As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects.

  • You can't apply different types of server-side encryption to the same object simultaneously.

Server-side encryption with Amazon S3-managed encryption keys (SSE-S3)

  • Each object is encrypted with a unique key.

    • It also encrypts the key itself with a master key that it regularly rotates.

  • It uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.

  • If you need server-side encryption for all of the objects that are stored in a bucket, use a bucket policy.

  • Must set the following header:

    • s3:x-amz-server-side-encryption": "AES256

Server-side encryption using AWS KMS CMKs (SSE-KMS)

  • Similar to SSE-S3, but with some additional benefits and charges for using this service.

  • Amazon S3 uses AWS KMS customer master keys (CMKs) to encrypt your Amazon S3 objects.

  • SSE-KMS provides you with an audit trail that shows when your CMK was used and by whom.

  • You create and manage customer managed CMKs or use AWS managed CMKs that are unique to you, your service, and your Region.

  • AWS KMS is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud.

  • AWS KMS encrypts only the object data.

    • Any object metadata is not encrypted.

  • When you use SSE-KMS encryption with an S3 bucket, the AWS KMS CMK must be in the same Region as the bucket.

  • Must set the following header:

    • s3:x-amz-server-side-encryption":"aws:kms

Server-Side Encryption with Customer-Provided Keys (SSE-C)

  • You manage the encryption keys and S3 manages the encryption, as it writes to disks, and decryption, when you access your objects.

  • Server-side encryption encrypts only the object data.

    • Not object metadata.

  • Using SSE-C allows you to set your own encryption keys.

  • With the encryption key you provide as part of your request, S3 manages the encryption as it writes to disks and decryption when you access your objects.

  • Therefore, you don't need to maintain any code to perform data encryption and decryption.

  • The only thing you do is manage the encryption keys you provide.

  • You must use HTTPS.

PreviousS3NextS3 Security

Last updated 4 years ago

Was this helpful?