S3 Data Encryption

  • Data protection refers to protecting data while in-transit and at rest.

  • You can protect data in transit using SSL/TLS or client-side encryption.

  • You have the following options for protecting data at rest in S3:

    • Server-Side Encryption:

      • Request S3 to encrypt your object before saving it on disks in its data centres and then decrypt it when you download the objects.

    • Client-Side Encryption:

      • Encrypt data client-side and upload the encrypted data to S3. In this case, you manage the encryption process, the encryption keys, and related tools.

Server-side Encryption

Server-side Encryption with S3-managed encryption keys (SSE-S3)

  • Each object is encrypted with a unique key.

  • As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates.

  • It uses one of the strongest block ciphers available, AES-256, to encrypt your data.

Server-side Encryption using KMS CMKs (SSE-KMS)

  • It is similar to SSE-S3, but with some additional benefits and charges for using this service.

  • There are separate permissions for the use of a CMK that provides added protection against unauthorized access of your objects in S3.

  • It also provides you with an audit trail that shows when your CMK was used and by whom.

  • You can create and manage customer managed CMKs or use AWS managed CMKs that are unique to you, your service, and your Region.

Server-side Encryption with customer-provided encryption keys (SSE-C)

  • The customer manages the encryption keys and S3 manages the encryption, as it writes to disks, and decryption, when you access your objects.

Client-side Encryption

  • To enable client-side encryption, you have the following options:

    • Use a KMS CMK.

    • Use a master key that you store within your application.

PreviousCloudHSM vs KMSNextApplication Load Balancer (ALB)

Last updated

Was this helpful?