Amazon S3 Server-Side Encryption Types
Server Side Encryption with S3 Managed Key (SSE-S3)
Amazon S3 manages encryption keys for you, the data upload and retrieval is fully transparent,
the file is encrypted automaticaly before saving to S3 and decrypted automatically when you request it.
This is the first server side encryption method supported by Amazon S3,
it was announced by Amazon S3 Team in 2011.
Encryption:
When you upload the file to SSE-S3 enabled bucket, the new encryption key is generated for an each file,
then Amazon S3 encrypts the file using generated encryption key and encrypts the key itself
with the S3 Master Key which is rotates regularly.
Encrypted file is stored on Amazon S3 with the metadata containing the encryption key, which is encrypted
with S3 Master Key. The metadata is stored in plain-text form.
Amazon S3 server-side encryption uses one of the strongest block ciphers available to encrypt your data, 256-bit Advanced Encryption Standard (AES-256).
Decryption:
The file is decrypted automatically when you request it - Amazon S3 reads decryption key from the metadata and
decrypts it using S3 Master Key, the resulting key is used to decrypt the file which is served back to the customer.
Encryption with CMKs stored in AWS KMS (SSE-KMS)
Server-Side Encryption with Customer Master Keys (CMKs) stored in AWS Key Management Service (SSE-KMS)
provides you with more flexibility regarding the keys - you can create, rotate, and disable customer
managed CMKs. You can also define access controls and audit the customer managed CMKs.
Encryption:
When you upload the file to SSE-KMS enabled bucket, S3 requests encryption key from KMS, KMS generates encryption key
and sends it back to S3, Amazon S3 uses generated encryption key to encrypt the file. Encrypted file is stored
on the disk, the encryption key is encrypted itself using the CMK and stored with the file in metadata.
Decryption:
When you request the file Amazon S3 reads the decryption key from the metadata and
decrypts it using CMK, the resulting key is used to decrypt the file which is served back to the customer.
Amazon Managed CMKs vs Customer Managed CMKs
You can use the default AWS managed CMK, or you can specify a customer managed CMK that was created before.
If you would like to use the Customer Managed CMK, you need to create it first via
the AWS Management Console (KMS) or using the KMS API.
If you do not specify the Customer Managed CMK, the region-specific Amazon Managed CMK is created automatically
when you add the object to SSE-KMS enabled bucket for the first time. It is used for all further requests that
do not specify Customer Managed CMK.
Encryption with customer-provided encryption keys (SSE-C)
You may use your own encryption keys in order to encrypt data on Amazon S3.
In this case Amazon S3 only encrypts and decrypts files and you manage the keys.
Encryption:
When you upload the file wuth SSE-C parameters, Amazon S3 reads the encryption key from your request
and uses it to encrypt the file, it also generates salted HMAC hash of the key to validate decryption
key when you request the file back. Encrypted file with the key hash is stored on S3.
The encryption key is removed from the memory once the file is encrypted and the hash generated.
Decryption:
You provide the decryption key when you request the file and Amazon S3 calculates the key hash
to compare it with the hash stored with the file, if the hashes match, the provided decryption
key is used to decrypt the file. Decrypted file is served to you. The decryption key is removed from the memory.
Additional resources on SSE support in S3 Browser
|
