Understanding S3 Encryption

In this, we will learn about S3 Encryption.

SOA-C01 exam is updated to AWS Certified SysOps Administrator – Associate (SOA-C02).

What is Amazon S3?

Amazon S3 is an object storage service with industry-leading scalability, data availability, security, and performance. Amazon S3 allows customers of all sizes and sectors to store and safeguard any amount of data for a variety of use cases, including data lakes, websites, mobile apps, backup and restore, archiving, business applications, IoT devices, and big data analytics. Further, you may use Amazon S3’s administration tools to optimize, organize, and customize data access to meet your unique business, organizational, and compliance needs.

S3 Encryption:

• We can set default encryption on a bucket
• With, the default settings,  all objects encrypts when stored in a bucket.
• objects encrypts using server-side encryption with
  • Amazon S3-managed keys (SSE-S3)
  • AWS KMS-managed keys (SSE-KMS)

S3 object encryption methods

• SSE-S3: encrypts S3 objects using keys handled & managed by AWS
• SSE-KMS: leverage AWS Key Management Service to manage encryption keys
• SSE-C: when you want to manage your own encryption keys
• Client-Side Encryption

SSE-S3

• SSE-S3: encryption using keys handled & managed by AWS S3
• The object is an encrypted server-side
• AES-256 encryption type
• Must set header: x “x- – amz- – server-side- –

SSE-KMS

• SSE-KMS: encryption using keys handled & managed by KMS
• KMS Advantages: user control + audit trail
• An object is the encrypted server-side
• Must set header: x “x- – amz- – server- – side- – encryption”: ” aws:kms” “

SSE-C

• SSE-C: server-side encryption using data keys fully managed by the customer outside of AWS
• This service does not store the encryption key you provide
• HTTPS must be used
• The encryption key must be provided in HTTP headers, for every HTTP request made