Server-Side Encryption

  • Server-side encryption is the encryption of data at its destination by the application or service that receives it.

  • S3 encrypts your data at the object level as it writes it to disks in its data centres and decrypts it for you when you access it.

  • As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects.

  • You can't apply different types of server-side encryption to the same object simultaneously.

Server-side encryption with Amazon S3-managed encryption keys (SSE-S3)

  • Each object is encrypted with a unique key.

    • It also encrypts the key itself with a master key that it regularly rotates.

  • It uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.

  • If you need server-side encryption for all of the objects that are stored in a bucket, use a bucket policy.

  • Must set the following header:

    • s3:x-amz-server-side-encryption": "AES256

Server-side encryption using AWS KMS CMKs (SSE-KMS)

  • Similar to SSE-S3, but with some additional benefits and charges for using this service.

  • Amazon S3 uses AWS KMS customer master keys (CMKs) to encrypt your Amazon S3 objects.

  • SSE-KMS provides you with an audit trail that shows when your CMK was used and by whom.

  • You create and manage customer managed CMKs or use AWS managed CMKs that are unique to you, your service, and your Region.

  • AWS KMS is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud.

  • AWS KMS encrypts only the object data.

    • Any object metadata is not encrypted.

  • When you use SSE-KMS encryption with an S3 bucket, the AWS KMS CMK must be in the same Region as the bucket.

  • Must set the following header:

    • s3:x-amz-server-side-encryption":"aws:kms

Server-Side Encryption with Customer-Provided Keys (SSE-C)

  • You manage the encryption keys and S3 manages the encryption, as it writes to disks, and decryption, when you access your objects.

  • Server-side encryption encrypts only the object data.

    • Not object metadata.

  • Using SSE-C allows you to set your own encryption keys.

  • With the encryption key you provide as part of your request, S3 manages the encryption as it writes to disks and decryption when you access your objects.

  • Therefore, you don't need to maintain any code to perform data encryption and decryption.

  • The only thing you do is manage the encryption keys you provide.

  • You must use HTTPS.

PreviousS3NextS3 Security

Last updated