Concept of S3 Encryption
Concept of S3 Encryption
To understand the concept of S3 Encryption we will illustrate the various features and the various methods involved.
- We can set default encryption on a bucket
- With, the default settings, all objects are encrypted when stored in a bucket.
- objects are encrypted using server-side encryption with
- Amazon S3-managed keys (SSE-S3)
- AWS KMS-managed keys (SSE-KMS)
S3 object encryption methods
- In SSE-S3, S3 objects are encrypted by keys managed by AWS
- In SSE-KMS, AWS KMS or Key Management Service manages encryption keys
- In SSE-C, the customer manages encryption keys on own
- Client-Side Encryption
SSE-S3
- Key management by AWS S3
- The object is encrypted server-side
- AES-256 encryption type
- The header should be set as – x- – amz- – server- – side- –
SSE-KMS
- All encryption keys are managed by AWS KMS
- KMS Advantages: user control + audit trail
- The object is encrypted server-side
- The header should be set as – x- – amz- – server- – side- – encryption: aws:kms
SSE-C
- Data keys managed by the user and is outside of AWS
- No provided encryption key is stored in S3 or AWS
- HTTPS must be used
- The encryption key must be provided in HTTP headers, for every HTTP request made
Get ready to qualify AWS Certified Security – Specialty Exam and Try hundreds of Practice Test Now!