In my previous post in this series about how to secure AWS S3 resources, I talked about the importance of securing your AWS S3 resources by making sure the proper permissions were set up for your buckets as well as the objects you place in those buckets.
In this post, we will talk about the different ways to encrypt the objects in your S3 buckets. Encrypting your S3 data is very important so attackers cannot steal your data. Let’s get into the meat of this post, shall we?
Check out our video tutorial related to this post:
Server-Side Encryption Options
Server-side encryption only encrypts data once it has reached the server and before it is stored on disk for uploads. It will decrypt the data on the server before returning it to the user for retrievals. Thus the data will be traveling over the internet unencrypted unless, of course, you are using TLS/SSL/HTTPS connections.
Using Standard AWS S3 AES-256 Encryption
Always selecting the default AWS S3 AES-256 encryption is the easiest way to get S3 server-side encryption. The key for this encryption method is managed by AWS S3 and is not configurable. You can find more information about this default encryption method here. The main gist is that when you create a new bucket, you can set the option to always encrypt all objects in that bucket using this method. Below you will find a screenshot of where the option is when creating a new S3 bucket:
Using KMS Managed Key Encryption
As you can see in the screenshot above, there is another encryption option using KMS Managed Keys. This is a great option if you want to control the rotation of your keys or delete them to render your data useless in case of a breach. You can also use different encryption keys for your development and production data if desired. HOWEVER, there is one major caveat that many smaller companies may really want to know about before using that option.
If you choose the KMS Managed key option, every object put into the bucket or read from the bucket will incur a lookup of that KMS key. Pricing for using KMS keys can be found here. If you add or request files in your S3 bucket many times each day, this cost can add up quickly. Just keep that in mind when choosing your encryption option for your bucket.
Using Customer Managed Key Encryption
AWS S3 now allows customers to provide their own encryption key(s) to encrypt and decrypt their S3 objects. There are a few ways of using customer-managed keys to encrypt your data:
- Using an AWS SDK for your project’s programming language such as AWS Java SDK or AWS .NET SDK
- You can also use the AWS REST API if you are using a different language than one of those listed above, or if you need direct access to the HTTP REST API
There is also the option to encrypt your data before sending it over to AWS S3 and decrypt it after receiving data from AWS S3. Adding Client-Side encryption in addition to server-side encryption enhances security. This also adds processing time and additional load on the client as it needs to do extra work.
There are numerous SDKs for different languages that support client-side encryption for S3 objects.
You can use either a Customer Master Key that is stored in AWS KMS, or you can use an encryption key that is stored within your application. You can find more information about AWS S3 client-side encryption here.