AWS S3 – Client and Server Side Encryption

Encryption is one of the most basic requirements for ensuring data privacy, especially for end-to-end protection of data transmitted across networks. Plain text is encrypted using an encryption algorithm and an encryption key. Encryption converts the readable text to an unreadable text which is called ciphertext (encrypted data).

In today’s blog, we will discuss various encryption options of the AWS Simple Storage Service known as S3. S3 is highly reliable, secure, and inexpensive compared to on-premises (On-prem) data storage for storage-intensive applications e.g. Hadoop EMR. S3 stores the data as objects called “Buckets” and each object can be up to 5 TB in size.

Encryption Methodologies

AWS S3 offers both encryption methodologies, Encryption in Transit and Encryption at Rest.

Encryption in Transit

Encryption in Transit for Amazon S3 can be facilitated with the help of SSL/TLS at the client end as well as with the below similar bucket policy at the bucket level:

{
  "Id": "Policy1600282742195",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1600282739517",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::mysecures3buket",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      },
      "Principal": "*"
    }
  ]
}

Encryption at Rest

Encryption at Rest can further be classified into Client-side encryption and Server-side encryption as well. For both server-side and client-side encryption, AWS utilizes AES-256 with Galois Counter Mode (GCM) for any symmetric key encryption operations. GCM provides authenticated encryption by adding a unique tag to the ciphertext which verifies that the encrypted data has not been tampered with in any way.

Client-side Encryption

In Client-side encryption, the data is encrypted before sending it to the S3 bucket. To implement Client-side encryption in S3, we have the following two options:

• Use a CMK (customer master key) stored in AWS KMS (Key Management Service)
• Use a Customer provided master key stored in the customer’s proprietary application

Note: Your client-side master keys and your unencrypted data are never sent to AWS. It’s really important that you manage your encryption keys with the utmost care. If you lose them, you can’t decrypt your data.

Server-side Encryption

In Server-side encryption, the data is encrypted after being sent to the S3 bucket and before storing it in the S3 bucket.

Server-side encryption has the following three options:

1. Use Amazon S3-managed keys (SSE-S3)In this, the key material and the key will be provided by AWS itself to encrypt the objects in the S3 bucket.
2. Use CMK (Customer Master key) in AWS KMS (SSE-KMS)In this, key material and the key will be generated in AWS KMS service to encrypt the objects in S3 bucket.
3. Use a Customer provided encryption key (SSE-C)In this, the key will be provided by the customer and Amazon S3 manages the encryption and decryption process while uploading/downloading the objects into the S3 bucket.

With SSE-S3, Amazon S3 managed Server-side encryption uses one of the most secure block Ciphers, AES -256 (Advanced Encryption Standard) bit, to encrypt each object with a unique key which means no overlapping keys are used for encrypting the objects. Also, these unique keys are encrypted with a Master key which is rotated regularly to yield additional data security.

With SSE-KMS, Amazon S3 uses the AWS KMS functionality to encrypt the data in the S3 bucket. Combining Amazon S3 with the AWS KMS provides a perfect blend of security and availability.

Diagrammatic illustration of how SSE-KMS works

1. CMK, using the encryption algorithm (AES-256), creates two keys, one is a plaintext data key and the other is an encrypted data key.

   

2. While uploading the object to the S3 bucket, S3 encrypts the object with the plaintext data key. The encrypted object (Ciphertext) along with the encrypted data key is then stored in S3.

   

3. While downloading the object from the S3 bucket, S3 sends the encrypted data key to KMS. KMS matches the correct CMK, then it decrypts the encrypted data key and sends the plaintext data key to S3. S3 then downloads the object by decrypting the object with this plaintext data key.

   

While using SSE-KMS, you can have the following combinations:

1. Customer Managed CMK (Customer Master Key)This is a use case where you want to have complete control over the CMK i.e. you may create, rotate, disable, audit, and have complete access control who can use it. If you want to use Customer Managed CMKs, you can create it under the AWS KMS console before using it at the S3 level.
2. AWS Managed CMK (Customer Master Key)This is a use case where you do not specify a Customer Managed CMK. To facilitate the process for users, Amazon S3 automatically creates an AWS managed CMK in the AWS account the first time that you add an object encrypted with SSE-KMS to a bucket. By default, Amazon S3 uses this CMK for SSE-KMS.

Note: All requests (GET and PUT) for an object encrypted by SSE-KMS will give an error if they are not made via https or using SigV4. Amazon SigV4 is an authentication mechanism supported by Amazon S3 for signing the API requests. This enables Amazon S3 to perform the sender/source identification and protects your requests from bad actors.

• Server-side encryption encrypts only the object data, not the object metadata.

With SSE-C, Amazon S3 performs Server-side encryption with customer-provided encryption keys. With the encryption key provided by the user, Amazon S3 manages the encryption and decryption process while writing and accessing the data on disks consecutively. Since the management of encryption and decryption is taken care of by Amazon S3, there is no requirement to manage the code at the user level. The only requirement from a user perspective is to manage the encryption keys.Amazon S3 uses AES-256 bit encryption to encrypt the data with the customer provided key and removes the key from its memory post completion of the encryption process whereas, in the decryption process, it first verifies and matches if the same key is provided (which was provided during the encryption) and then decrypts the data and make it available to the user.

Note: Amazon S3 does not store the encryption key, rather, it stores a randomly salted HMAC (hash-based message authentication code) value of the encryption key to validate future requests. The salted HMAC value cannot be used to derive the actual encryption key or to decrypt the contents of the encrypted data which means if you lose the encryption key, you lose the data.

Comparison of S3 encryption options

S3 offers multiple options to encrypt the data in the S3 bucket. The following table summarizes all the available options to encrypt the data at rest and data in transit:

Conclusion

Amazon S3 is very well suited if you have an environment with various applications generating a large amount of data. The very reason to choose S3 is not only the fact that it can store the mammoth volume of data at cheaper rates, but it’s durable, scalable, and highly available as well. Data privacy and compliance are vital when it comes to data security, which can be achieved using various encryption methods that Amazon S3 offers. With the use of multiple S3 encryption options, you can relax without worrying about any data being compromised.