S3 Encryption

There are two ways where S3 can encrypt data at rest

Client-Side Encryption

Data are send and store as encrypted. During retrieval, encrypted data are retrieved and descrypt at the client side. This can be achieve with the use of AWS SDK and KMS or self managed secret

Server-Side Encryption

Data are send unencrypted to AWS via TLS, AWS ia responsible for encrypting and storing on disk. During retrieval, AWS retrieves encrypted data from disks decrypt it and send raw data back via TLS.

There are two ways to enable S3 server side Encryption, to ensure its a blanket rules for all objects within S3 its preferable to set it at the bucket level. Otherwise, client can set header "s3:x-amz-server-side-encryption": "true" during PUT to tell S3 to encrypt the object.

Encryption Options

Amazon S3 manged keys (SSE-S3)

Each object encrypted with a unique key from kms
Addition safeguard, it encrypts the key itself with the master key that is regularly rotate

custom master key (SSE-KMS)

use CMK stored in KMS
additional charge requires
separate permission is needed to access the CMK which added extra protection
also provide audit-trail when CMK was used by whom
you can create and manage customer managed CMKs or use AWS managed CMKs that are unique to you, your service, and your Region

customer provided keys(SSE-C)

you manage the encryption key and Aws manage the encryption as it write to disk and decryption when accessing the object - you are responsible to keep track of which key is used for which object encryption
you are responsible for safeguard such as key rotation
the encryption key is provide as part of the request when using the S3 API
- when calling PUT API, you supply object and encryption key, S3 uses the encryption key to encrypt the object before saving to disk and remove the key from memory. Obviously the transportation between client to API has to be TLS. As mentioned, S3 does not store the encryption key, its up to you to manage and track it. Hence if you lose the encrytion key, then you will also lose the ability to decrypt any objects in S3
- when retrieving the object, you need to provide the encryption key as part of the GET request, as expected, this key needs to be same as the key used when encrypting the object. S3 will decrypt the object (after verifying that the stored checksum matches) and return the decrypted object, remove key from memory.
- If S3 versioning is enabled, i.e. multiple version of object stored, its the user responsibility to keep track of the relationship between objects, object versions and keys.
- If lifecycle rule enabled to transfer data to Glacier, if you want to read the object, you need to restore the object back to S3 first, then use S3 API with the encryption key to decrypt the data
To change the encryption key, use 53 COPY operation, passing in old and new key as parameters.

Encryption and decryption Workflow

Encryption

Amazon S3 requests a plaintext data key and a copy of the key encrypted under the specified CMK.
AWS KMS creates a data key, encrypts it by using the master key, and sends both the plaintext data key and the encrypted data key to Amazon S3.
Amazon S3 encrypts the data using the data key and removes the plaintext key from memory as soon as possible after use.
Amazon S3 stores the encrypted data key as metadata with the encrypted data.

Decryption

Amazon S3 sends the encrypted data key to AWS KMS.
AWS KMS decrypts the key by using the appropriate master key and sends the plaintext key back to Amazon S3.
Amazon S3 decrypts the ciphertext and removes the plaintext data key from memory as soon as possible.

Encrypting existing data

The default encryption setting does not encrytp existing objects. Hence we will need to do the following to ensure all existing data are also encrypted

Identity unencrypted object using AWS S3 Inventory. Generate the list of objects and then search for Encryption Status that has NOT-SSE flag
With the list above, add encryption to each of the object by either re-upload the object using put-object or copy the object with cp

Fitness Function ideas

We need someway to

define baseline to ensure all S3 bucket in the organisation comply to this baseline policy
ability to codify the baseline and any policy specific to the organisation
ability to continuously validate the baseline and any additional policies
ability to notify if there is any violation

Tools/Ideas

AWS organization service control policy to enforce baseline policy when creating a S3 bucket
AWS Config which provide configuration history and change logs. In addition, it allows you to define your compliance rules which will be run automatically. Change and notification are send to Cloudwatch, alerts can be setup to notify the team if it finds anything suspicious
AWS Trust Advisor is another tools that can be run to find potential issues
AWS Cloud trail will store all API calls which provide us with event history. It enable security analysis and resource change tracking
AWS Macie is a machine learning offering which automatically discover exposing senitive data
S3audit