How to Configure Encryption for S3 Buckets
Modifying Default Encryption Settings for S3 Buckets
To enhance the security of S3 buckets, you must ensure encryption is properly enabled. Amazon gives you the ability to set default encryption settings in order to automatically encrypt all objects that are stored within an S3 bucket. In this demo, our AWS expert will teach you how to configure the default encryption settings for S3 buckets and verify those settings by analyzing objects’ details.
Starting from your Amazon S3 console, click into a bucket. Open the Properties tab for that bucket, then we’ll edit the Default Encryption settings. In this new window, when you enable Server-Side Encryption, you’re presented with two options for Encryption Key Type:
- SSE-S3: Encryption keys that are owned by AWS. There is no user control over encryption keys, so you do not directly see or use keys for encryption or decryption purposes.
- SSE-KMS: AWS KMS provides the keys used to encrypt S3 data, but users can manage the CMK.
Once you’ve saved your changes to the default encryption settings, you can upload a new object to the bucket, the navigate to the object’s Details to verify if your encryption configuration worked. For a visual guide on how to configure encryption S3 buckets, watch the full demo.
Learn more about enabling Amazon S3 default bucket encryption.
So, you can see, here, that we are logged in to our S3 console and we don’t have any buckets created. So, the first thing we are going to do is create a bucket. We’re just going to give it a name, randyslab-s3-bucket. Hopefully that’s unique. We’re going to leave all the other settings alone, just to demonstrate a key concept about working with these encryption settings. We’ll create the bucket. First thing that we’ll do is that we will upload a file. We’re just going to choose some placeholder text here. We’re not going to make any other changes to this file, we’re just going to go ahead and upload it directly. You can see here that we have success. We have our first object in the bucket.
Now, let’s go change the properties on our bucket and change the default encryption settings. The key concept to remember here is that when you change these settings, these are the default settings for all files going forward, not for files that have already been uploaded. You can see here that we have a couple of options – we have our SSE-S3 and we have SSE-KMS as our first level of options.
Let’s explain SSE-S3 quickly. This is an AWS-owned key. It is a key that doesn’t even show up in our KMS console. It is a service-wide key that is used by S3. Another important thing to remember about S3 encryption is that each file that you upload receives its own data key. They actually call it a customer data key, or a CDK. This is the key that is actually used to encrypt the data. That key, itself, is encrypted with this setting that you have here. When you’re using SSE-S3, any process, any user, even if the bucket itself is labeled as public, anything that can successfully issue a read request is going to receive back the plain text file. S3 will automatically decrypt that and give that back to the requesting process, the requesting user, the requesting browser, so on and so forth. That may be okay in some use cases. Maybe you’re going to use this S3 bucket for CloudFront and this is your JPEGs and other static content that make up your website, in which case, that’s probably just fine. But there are a number of use cases where that is not the desired behavior.
In those cases, you may want to have more control over the key, in which case you would select SSE-KMS. Now, you can see here, we have even more options that are exposed. This first option here, AWS managed key, this is a key that shows up in your KMS console. You don’t have to pay for this key. This is wrapped up just in your S3 usage. But you also can’t establish policy, you can’t establish your own key rotation parameters, you can’t establish a lot of things around this. So, the only difference between these two is that under the AWS managed key, this is a key that is unique to your use of S3, whereas up here on SSE-S3, this is a key that is used by all users of S3. The one option that gives you the most control is to use a customer master key that you, yourself, have established. You can define policy on this key. You can define its rotation parameters. We’ll cover these things in another video, but I am going to go ahead and do this option because I created a key in advance. Then, this bucket key, you should definitely read up on this if you’re talking about a new bucket, this is probably an option that would make sense for you as it will help you reduce cost. But for an existing bucket, you probably need to understand some of the things that will change if you enable that.
So, we just changed our default policy, and you can see that we are now enabled with an AWS KMS master key using our own key that we established. Now, if I come back over here to “Objects,” there’s the upload, add the file, put in our second file, and I’m going to upload that without making any other changes. Now, you see, we have two files. Let’s take a look at each of them. On the first file, we scroll down here, “Server-Side Encryption Settings” is disabled, just as we might expect. Now, we can change this. We can change this through the console or we can change this programmatically, by using API calls or CLI or something like that. We can now enable and set it up exactly the same. So, now, we are changing the encryption settings on just this one file – success! Sure enough, if we come back and we look at the second file, we should see that it is already set up to be encrypted.