S3 supports server side and client side Encryption. Two types of Encryption: In transit, At rest.
Encryption details can be specified while uploading file.
Encryption In Transit (SSL/TLS)
You can securely upload/download your data to Amazon S3 via SSL endpoints using the HTTPS protocol.
Encryption At Rest
Server Side Encryption
-
Server side encryption is done before storing and decryption is done while accessing.
-
Uses AES-256 by default.
-
Classified based on key management:
-
S3 Managed Keys – SSE-S3
-
Provides an integrated solution where Amazon handles key management and key protection using multiple layers of security.
-
Uses one of the strongest block ciphers available: AES-256.
-
Should choose SSE-S3 if you prefer to have Amazon manage your keys.
-
-
Server side encryption with customer provided keys – SSE-C
-
S3 perform the encryption and decryption of your objects while you retain control of the keys used to encrypt objects.
-
Use SSE-C if you want to maintain your own encryption keys, but don’t want to implement or leverage a client-side encryption library.
-
-
Using AWS Key Management Service, Managed Keys – SSE-KMS
-
AWS KMS to manage your encryption keys.
-
There are separate permissions for the use of the master key, providing an additional layer of control as well as protection against unauthorized access to your objects stored in Amazon S3.
-
AWS KMS provides an audit trail so you can see who used your key to access which object and when.
-
AWS KMS provides additional security controls to support customer efforts to comply with PCI-DSS, HIPAA/HITECH, and FedRAMP industry requirements.
-
-
Client Side Encryption
-
Client side encryption is done before uploading.
-
Using an encryption client library, such as the Amazon S3 Encryption Client, you retain control of the keys and complete the encryption and decryption of objects client-side using an encryption library of your choice.
-
For customers who prefer full end-to-end control of the encryption and decryption of objects: only encrypted objects are transmitted over the Internet to Amazon S3.
Additional Notes - Encryption
-
With SSE, every protected object is encrypted with a unique key. This object key is itself encrypted by a separate master key that is stored securely and reissued at least monthly.
-
The object creation REST APIs provide a request header, x-amz-server-side-encryption that you can use to request server-side encryption. Read more here.
References:
- heartin's blog
- Log in or register to post comments
Comments
good
good