Abdulhamid Sonaike
Understanding Server-Side Encryption with Amazon S3

Understanding Server-Side Encryption with Amazon S3

Abdulhamid Sonaike's photo
Abdulhamid Sonaike
·

3 min read

Table of contents

Server-side encryption (SSE) is a way to encrypt data as it is stored in a destination application or service. When you use Amazon S3, your data is encrypted at the object level as it is written to disks in AWS data centers and decrypted when you access it. As long as you have the right permissions, you can access encrypted objects the same way you access unencrypted ones.

Default Encryption in Amazon S3

By default, all Amazon S3 buckets have server-side encryption configured. This means that every new object you upload to an S3 bucket is automatically encrypted. The default encryption type is server-side encryption with Amazon S3 managed keys (SSE-S3).

Types of Server-Side Encryption

  1. SSE-S3: Amazon S3 managed keys

  2. SSE-KMS: AWS Key Management Service keys

  3. DSSE-KMS: Dual-layer encryption with AWS KMS keys

  4. SSE-C: Customer-provided keys

Let's break these down.

SSE-S3 (Amazon S3 Managed Keys)

This is the default encryption for S3. Each object is encrypted with a unique key, and the key itself is encrypted with a root key that is rotated regularly. SSE-S3 uses 256-bit AES-GCM, a strong encryption standard.

Example Policy to Require SSE-S3 Encryption

{
  "Version": "2012-10-17",
  "Id": "PutObjectPolicy",
  "Statement": [
    {
      "Sid": "DenyObjectsThatAreNotSSES3",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}

SSE-KMS (AWS KMS Keys)

With SSE-KMS, you have more control over the encryption keys. You can create, manage, and audit keys through AWS KMS. This option also allows integration with AWS CloudTrail for monitoring key usage.

DSSE-KMS (Dual-layer Encryption with AWS KMS Keys)

DSSE-KMS applies two layers of encryption at the object level, satisfying certain compliance requirements. It provides additional security by encrypting data twice using AWS KMS keys.

SSE-C (Customer-Provided Keys)

With SSE-C, you manage the encryption keys, but Amazon S3 handles the encryption and decryption processes when writing to and reading from disks.

Specifying Different Encryption Types

You can specify the type of server-side encryption in your S3 PUT requests or set a different default encryption configuration in the destination bucket.

Encrypting Existing Objects

If you need to encrypt existing objects, use S3 Batch Operations and S3 Inventory.

Example: Using S3 Batch Operations to Encrypt Objects

  1. Create an S3 Inventory report.

  2. Use S3 Batch Operations to apply the desired encryption.

Conclusion

Server-side encryption in Amazon S3 ensures that your data is secure at rest. By default, S3 uses SSE-S3, but you can also use SSE-KMS, DSSE-KMS, or SSE-C depending on your security requirements. Understanding and using these encryption methods will help you keep your data secure while taking advantage of the flexibility and power of Amazon S3.

CloudCloud Computingsoftware developmentAWSGCPAzure