Hey guys, hope you are doing well with your preparation to become an AWS Certified. Whether you are preparing for the AWS Solutions Architect Associate exam or for the AWS SysOps Administrator Associate exam, here is another important topic S3 Server-Side Encryption. This is an important topic for both of these associate-level AWS certifications, so this article will be an important resource in your preparation.
We have received a lot of queries regarding the difference between SSE-S3, SSE-C, and SSE-KMS. These are basically the S3 Server-Side Encryption methods. Let us discuss how to protect your data at rest in S3 using server-side encryption.
S3 Server-Side Encryption Methods
AWS provides three ways to protect your data at rest in S3 using server-side encryption:
- SSE-S3 (default)
- SSE with customer provided keys (SSE-C)
- SSE with AWS KMS (SSE-KMS)
SSE-S3 encrypts data at rest using 256-bit Advanced Encryption Standard(AES-256). Each object is encrypted with a unique data/object key and each data/object key is further encrypted using a master key (envelope encryption) which is regularly rotated so as to prevent data getting compromised. Unlike SSE-KMS there are no additional charges for using SSE-S3 in addition to the storage that you are using on S3.
How does S3 Server-Side Encryption Work?
To encrypt the objects you need a data key. Now to generate a data key you can specify a CMK (Customer Master Key) that you have already created otherwise S3 will request AWS KMS to create a default CMK which can be used to create a data key.
Now CMK using the encryption algorithm (AES-256) creates two keys, one is plaintext data key and the other is encrypted data key.
S3 encrypts the object with plaintext data key and deletes the key from memory. The encrypted object along with the encrypted data key is then stored in S3.
While retrieving the object S3 sends the encrypted data key to KMS. KMS matches the correct CMK then it decrypts the encrypted data key and sends the plaintext data key to S3. S3 then retrieves the object by decrypting the object with this plaintext data key.
Note: The working is same for SSE-S3, SSE-KMS, and SSE-C. And the images have been taken from AWS doc – https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
SSE with AWS KMS (SSE-KMS)
SSE-KMS is similar to SSE-S3 but comes with some additional benefits over SSE-S3. Unlike SSE-S3 you can create and manage encryption keys yourself or you can use a default CMK key that is unique to you for the service that is being used (S3 in this case) and the region you are working in.
When you create a CMK using KMS instead of using default CMK you get more flexibility as you can create, rotate and disable the encryption keys. As KMS is integrated with Cloudtrail with SSE-KMS you can also audit the usage of the key like when, by whom, for what purpose the key was used. You can also give separate permissions for the use of an envelope key.
SSE with Customer-Provided Keys (SSE-C)
With SSE-C, client manages the encryption keys itself whereas AWS manages the encryption/decryption part. There are no additional charges like SSE-S3. A client has to send the encryption key along with the object to be uploaded in a request. S3 then encrypts the object using the provided key and the object is stored in S3. Note that the encryption key is deleted from the system.
When the user wants to download or retrieve the object it has to supply the encryption key in the request. S3 first verifies that it is the correct encryption key, after the successful match it decrypts the object and returns it to the Client.
Hope this article helped you understand the S3 server-Side Encryption which is one of the most important topics in AWS Solutions Architect Associate exam and AWS Certified SysOps Administrator Associate exam. Besides, Whizlabs also offers online courses and practice tests series for the AWS Certified Solutions Architect Associate Exam and AWS Certified SysOps Administrator Associate exam. Join us now to prepare and pass the AWS certification exams.
Have any doubts/concerns regarding S3 Server-Side Encryption? Feel free to write in the comment section below or write in Whizlabs Forum to get it resolved by the industry experts.
- An Introduction to AWS Key Management Service (AWS KMS) - February 19, 2019
- An Introduction to S3 Server-Side Encryption (SSE) - February 18, 2019