S3 Encryption Advance

• 4 methods of encrypting object in S3
  • SSE-S3: encrypt using keys handled by AWS
  • SSE-KMS: use AWS KMS to manage encryption key
    • Advantage: user control and audit trail
    • Object is encrypted server side
    • Must set header x-amz-server-side-encryption: aws:kms
    • KMS will use GenerateDataKey and Decrypt since the object is > 4kb
      • Yes it counts against KMS Limits
  • SSE-C when you want to manage your own keys
  • Client Side Encryption
• To protect our S3 bucket
  • Force SSL (Secure Sockets Layer):
    • Specify a explicit DENY with condition aws:SecureTransport: false
      • If we specify ALLOW, it will allow anonymous to use GetObject if using SSL (Secure Sockets Layer)
  • Force encryption of SSE-KMS
    • Deny if the encryption header is not aws:kms
    • Deny if objects are uploaded unencrypted