Cloud storage services are popular nowadays because of their high efficiency and accessibility, which are critical for companies. Amazon is among the market’s leading public cloud service providers, known as Amazon Web Services (AWS).
AWS offers encryption options for S3, a cloud storage service for backups, archives, app files, etc. This article discusses Amazon S3 bucket’s various encryption options, including encryption types and how to configure them.
Overview of Amazon S3
Amazon S3 (Simple Storage Service) is a cloud storage service that AWS provides. It is a secure, durable, and highly scalable storage solution that provides developers and IT teams with a simple way to store and retrieve data from the cloud.
It is a pay-as-you-go service, meaning you only pay for the storage you use. You can store any data, including images, videos, and documents. It also provides high availability and scalability across data centres, allowing users to store and access data anywhere.
Our AWS security reviews and assessments are available here.
Examples of Amazon S3 in action include:
- Amazon Prime Video uses it to store and stream its library of movies and TV shows.
- The New York Times uses it to store and deliver digital content.
Amazon S3 bucket encryption
Data encryption is an important security measure that helps prevent unauthorised users from accessing sensitive data. It is used in various applications, such as online banking and email.
Encryption secures the data by encoding it with a password or encryption key, using encryption algorithms such as AES, 3DES, RSA, Blowfish, etc. So, if an unauthorised person gains access to the encrypted data, it is unreadable without the same encryption algorithm, password or encryption key provided.
Amazon recommends using S3 bucket encryption for security and compliance to store data in Amazon S3 buckets. Encryption increases data security and privacy while protecting data from being submitted to third parties during investigations if a client or organisation is suspected of violating the law. By encrypting data and not providing Amazon with the encryption keys, users can ensure their data remains unreadable and inaccessible to third parties.
AWS S3 bucket encryption types include server-side encryption and client-side encryption. It also employs encryption at Transit and at rest to secure data while uploading/downloading to/from S3 buckets and storing in the S3 bucket storage.
Benefits of Amazon S3 encryption
Amazon S3 Encryption is a powerful security tool that provides an extra layer of security to your data stored in the cloud and can be used to protect both public and private data.
One of the main benefits of Amazon S3 Encryption is that it helps protect your data from malicious attacks. It is vital for businesses that store sensitive customer information in the cloud. Encrypting your data makes it much harder for cybercriminals to access it.
The second benefit of Amazon S3 Encryption is that it helps reduce the risk of data loss. Encrypting your data makes it much more difficult for cyber criminals to delete or alter it. It can help protect your business from data loss due to malicious attacks.
For example, a school may use Amazon S3 Encryption to protect student records. Doing so will help them save student records from authorised access and malicious attacks resulting in data loss.
AWS S3 provides encryptions both in Transit and at rest.
- SSL/TLS can help encrypt Amazon S3 in Transit.
- AWS classifies encryption at rest into client-side and server-side encryption, which uses AES-256 with Galois Counter Mode (GCM) for symmetric critical encryption operations. GCM authenticates encryption by adding a unique tag to the cipher blob, verifying that the encrypted data is untampered.
Cyber attacks are not a matter of if, but when. Be prepared.
Box-ticking approach to penetration tests is long gone. We help you identify, analyse and remediate vulnerabilities so you don’t see the same pentest report next time.
S3 encrypted data
S3 Encrypted Data is a secure and reliable way to store data in the cloud. It uses the Advanced Encryption Standard (AES) encryption algorithm to encrypt data at rest. It also supports server-side encryption, which encrypts data before it is stored on the server and decrypts it when retrieved.
It also provides access control, allowing users to set up granular permissions for different users and groups, ensuring that only authorised users can access the data.
Server-side encryption vs client-side encryption
Server-side encryption is a type of data encryption that occurs on the server side of a network. S3 Server-side encryption is a security feature that encrypts data stored on Amazon S3 servers. S3 Server-side encryption encrypts data before it is written to disk and decrypts when read from disk.
Examples of server-side encryption are:
- Encrypting data stored in Amazon S3 buckets.
- Data kept in Amazon S3 objects.
- Data is preserved in Amazon S3 Glacier archives.
Client-side encryption is data encryption on the user’s device rather than a server. It allows clients to encrypt their data before uploading it to Amazon S3. The encryption process uses customer-provided encryption keys, never stored or transmitted by Amazon S3.
Examples of Client-side encryption are:
- Using the AWS Encryption SDK to encrypt data before uploading it to Amazon S3
- Using the Amazon S3 Encryption Client to encrypt data before it is uploaded
S3 server-side encryption key types
AWS S3 managed keys (SSE-S3)
When you employ server-side encryption with S3-managed keys (SSE-S3), each item is secured with a secret key. The key is encrypted with a root key that is changed regularly for extra protection. S3 server-side encryption utilises one of the most potent block ciphers available, 256-bit Advanced Encryption Standard (AES-256) GCM, to encrypt your data. For objects encrypted before AES-GCM, AES-CBC is still open to decrypt those objects.
AWS critical management service (SSE-KMS)
SSE-KMS is a variation of SSE-S3. It uses the AWS Key Management Service (KMS) to encrypt data stored on Amazon’s servers. AWS manages the data key, but the user governs the customer master key (CMK). The primary benefits of using SSE-KMS are the user’s control over the encryption process and the ability to track the process through an audit trail.
Customer-provided keys (SSE-C)
A customer must provide a data encryption key for SSE-C; AWS does not store that. AWS passes the customer-provided encryption key into each data encryption or decryption request. The customer must ensure the safety and security of the customer-provided essential encryption keys. AWS performs S3 bucket encryption on the server side, and only an HTTPS connection (not HTTP) can be used.
S3 client-side encryption key types
AWS KMS-managed customer master key (CMK)
For uploading or downloading data from AWS S3, you must use an AWS KMS key for client-side encryption.
When uploading an object, the client requests a new symmetric encryption key from AWS KMS using the KMS key ID. AWS KMS then returns two variants of a random encryption key: a plaintext version for encrypting only the object data and a cipher blob version that the client uploads as object metadata to Amazon S3, including the encrypted data key.
When downloading an object, the client downloads the cipher blob of the data key stored as object metadata, sends it to AWS KMS to obtain the plaintext version, and then uses it to decrypt the data.
Client-side master key management service
With this type of transit encryption, we use a master key stored within our application for client-side encryption.
When uploading an object, you give the Amazon S3 encryption client a client-side master key. The client only uses the master or root key to encrypt the randomly created data encryption key.
The process is as follows:
- The Amazon S3 encryption client generates a unique encrypted data key for each object, which is used to encrypt the data. The client creates a unique data key for every object.
- The client encrypts the data key with your root key, uploads it and a material description as object metadata, and then uses the material description to decrypt the key.
- The client uploads encrypted data to S3 and saves the encrypted data key as S3 object metadata (x-amz-meta-x-amz-key).
The client downloads the encrypted object from Amazon S3 and uses its metadata to determine the root key for decrypting the data key. The client then decrypts the data key with the root key and the encrypted object with the same key as the data key.
Amazon S3 encryption client
The Amazon S3 encryption client encrypts data on the user’s side using a one-time encryption key randomly generated on a per-object level. It allows for encrypted and unencrypted objects to be stored in the same Amazon S3 bucket.
The AWS SDK for Java, C++, Python, .NET and other supported programming languages includes the public class AmazonS3EncryptionClient. Developers can create this class of applications that encrypt data sent to S3 and decrypt data received from S3 on the client side.
Configuration of AWS S3 encryption
S3 Buckets is a cloud storage service offered and managed by AWS with unlimited storage capacity. To protect user data, AWS provides encryption methods. Even if someone breaches the security system, they cannot access the data.
Encryption is not enabled by default, but users can easily allow it and choose the encryption method. AWS ensures that encryption has minimal impact on the latency of S3 buckets.
Encryption is a process that uses math and algorithms to convert data into an unreadable form. Keys, which the system or the user can manage, store the encryption method.
Let’s see how to turn on the default encryption settings for S3 buckets.
Enable S3 encryption from the management console
- Log into the AWS account with access and permission to manage S3 buckets
- Search for S3 at the top of the management console.
- Click on S3 to manage buckets.
- Create an S3 bucket.
- Provide a unique bucket name (it must be unique in the whole AWS database)
- Specify the AWS region for the S3 bucket
- Enable encryption from the default encryption section
- Choose an encryption method (e.g., SSE-S3)
- Click “Create Bucket” in the bottom right corner to complete the bucket creation process.
- Leave other settings as default
- We created an S3 bucket with default encryption.
- Upload the demo file to check encryption.
- Click the object, open properties, go to encryption settings, and check encryption is enabled. So, we have finally configured S3 bucket encryption in our AWS account.
Enable S3 encryption using the AWS command line interface (AWS CLI)
AWS allows us to manage our services and resources using the command line interface. You can use AWS CLI on any Windows, Linux, or Mac environment. Professionals prefer the CLI over the management console due to its limitations and ever-changing environment. Once you master the AWS CLI, you’ll find it more convenient than the management console.
- Create buckets in the AWS account.
aws s3api create-bucket –bucket –region
- Running the below-mentioned commands will enable default encryption with SSE-S3 over the bucket we created.
- You can use the following command to check if the bucket’s default encryption is enabled.
aws s3api get-bucket-encryption –bucket
Thus, we successfully enabled S3 encryption using the AWS command-line interface (CLI).
Unencrypted or public data can significantly affect data integrity and confidentiality. In the worst case, it can make you feel legal consequences and customer trust. Therefore, protecting your private data on the cloud from security breaches is essential. AWS S3 bucket encryptions can significantly help protect stored data in AWS S3 buckets in the cloud, susceptible object data.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.