Blog

Encryption at rest with S3

13 Nov, 2018
Xebia Background Header Wave

Amazon Simple Storage Storage (S3) is a service that stores objects by means of a key and a value. The data associated with a key can easily be accessed by means of a web service API. S3 is a core service of AWS and is perfectly suited for storing log data. Data stored in S3 is ultimately stored on a persistent medium like a hardisk. The bits and bytes that makes up a stored object is stored on the harddisk in plain text, which means unencrypted. S3 supports a feature called ‘encryption at rest’ that encrypts the data before it is stored on harddisk. When you request data from S3, the data is first decrypted and then returned. Encryption at rest is a free feature of S3. Lets see how to enable it!

Enabling Encryption at Rest

S3 encryption at rest or Server Side Encryption can be controlled by adding a x-amz-server-side-encryption header to the request when uploading a file to S3. There is also an option called Default Encryption that encrypts all objects with a default encryption strategy. Supported strategies are SSE-S3 – server side encryption with AWS managed keys or SSE-KMS – server side encryption with AWS KMS managed keys. The example shows how to enable SSE-S3 which means that AWS manages the key for encryption and also key rotations.

  EUBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: BucketOwnerFullControl
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256

Example

The example project shows how to configure a bucket with encryption at rest. The example can be deployed with make deploy and removed with make delete.

Conclusion

Encryption at rest is a free feature of Amazon S3. When enabled, all objects stored to S3 will be encrypted at rest. All objects that existed before the setting was enabled will not automatically be encrypted. Any objects that were encrypted with an encryption scheme are also not affected by the setting. I advice to enable S3 encryption at rest for all buckets in your AWS account.
If you liked this blog, you might also like encryption at rest in Google Storage Buckets?.

Questions?

Get in touch with us to learn more about the subject and related solutions

Explore related posts