S3 Encryption & Logging & Secure Transport

S3 Default Encryption

  • S3 default encryption provides a way to set the default encryption behaviour for a S3 bucket and you can set it up on a bucket so that all objects are encrypted when they are stored in the bucket.

  • The objects are encrypted using server-side encryption with either S3-managed keys (SSE-S3) or KMS CMKs.

  • Default encryption works with all existing and new S3 buckets.

  • Without default encryption, you must include encryption information to encrypt all objects stored in a bucket with every object storage request and you must also set up an S3 bucket policy to reject storage requests that don't include encryption information.

CloudTrail Logging for S3 Actions

  • You can also get CloudTrail logs for object-level S3 actions.

  • To do this, specify the S3 object for your trail and when an object-level action occurs in your account, CloudTrail evaluates your trail settings.

  • If the event matches the object that you specified in a trail, the event is logged.

  • CloudTrail supports logging S3 object-level API operations such as GetObject, DeleteObject, and PutObject and these events are called data events.

  • By default, CloudTrail trails don't log data events, but you can configure trails to log data events for S3 buckets that you specify, or to log data events for all the S3 buckets in your AWS account.

aws:SecureTransport

  • To determine HTTP or HTTPS requests in a bucket policy, use a condition that checks foraws:SecureTransport.

    • When this key is true, this means that the request is sent through HTTPS.

    • To be sure to comply with the s3-bucket-ssl-requests-only Config rule, create a bucket policy that explicitly denies access when the request meets the condition aws:SecureTransport":"false" and this policy explicitly denies access to HTTP requests.

PreviousMigrating data from encrypted EBS volume to an unencrypted EBS volumeNextConsolidated Billing

Last updated