Amazon Web Services has finally taken action to prevent one of the most widespread data leaks in the cloud: S3 buckets that lack encryption. As a result, Amazon Web Services will now encrypt all new objects added on-server at no extra charge.
AWS provides customers with three different encryption methods, including SSE-S3, AWS Key Management Service keys (SSE-KMS), and customer provided encryption keys (SSE-C). IT administrators can confirm whether default object-level encryption is enabled on their buckets by configuring AWS CloudTrail data event logs.
Encryption
Encryption is a security measure designed to protect data from unauthorized access by third parties. It’s often employed when protecting customer payment card data or other sensitive information, as well as helping ensure compliance with regulations like the PCI DSS (Payment Card Industry Data Security Standard).
Since 2011, server side encryption (SSE-S3) has been enabled by default for all new objects stored in an S3 bucket. SSE-S3 relies on Advanced Encryption Standard (AES) encryption with 256-bit keys managed by AWS.
When an object is uploaded to S3, its data is encrypted with a unique key known as a data key. This key is generated using a Customer Master Key (CMK) and uses an algorithm known as AES-256 for security.
Once an object has been encrypted, it is stored in the storage system along with a copy of its data key. This makes decrypting the data difficult without access to this key. When an object is removed from S3, its encrypted data key is erased as well.
S3 offers three levels of encryption: default (SSE-S3), customer provided keys (SSE-C), and AWS Key Management Service (SSE-KMS). Customers may select which method they would prefer to utilize.
For the simplest solution, enable default encryption for your buckets – this automatically encrypts all object uploads by default and frees up time to focus on other data security tasks.
However, data encryption can be a real obstacle for some users. Fortunately, AWS offers a bucket policy that requires clients to use default encryption settings when uploading data into an AWS bucket.
You can apply this policy to a single file or small groups of files or objects. However, be aware that encrypting many objects at once may generate excessive log output; so it’s best to start by disabling logging and moving unencrypted files to a temporary bucket before applying encryption.
If the logged events appear to be unimportant, further investigation is recommended. AWS suggests checking Amazon CloudTrail logs, S3 Inventory and Storage Lens logs as well as the AWS console for further insight.
Encryption is an effective tool for protecting data, but it won’t guarantee a 100% secure environment on AWS. You must remain alert to other possible avenues in which hackers and other intruders could gain access.
Decryption
Recently, AWS announced the encryption of S3 buckets by default. This helps safeguard sensitive data in your buckets from unauthorized access and malware attacks, hackers, and other cyberattacks. With this feature in place, you can further safeguard the information within your buckets against these threats.
This is an important step towards creating a more secure cloud environment and will enable you to meet regulatory obligations. Furthermore, by utilizing this new service, you can reduce costs associated with managing encryption keys.
With server-side encryption, S3 combines object data with your AES 256 key to generate an encrypted version of the object. This is stored on S3 along with your AES 256 key, and then deleted from S3.
After retrieving an object from S3, the client must supply the correct encryption key in order to decrypt it. Once received, S3 decrypts and returns the object back to its owner.
KMS-Managed Keys
S3 utilizes AWS Key Management Service (KMS) to manage its customer master keys (CMKs) for encrypting and decrypting objects. KMS boasts a highly secure, scalable architecture that supports various key sizes.
KMS is a key management system designed specifically for the cloud, enabling you to set policies that govern how keys are used. Furthermore, you can audit your key usage in order to confirm if you are meeting security and compliance obligations.
For example, you can create a policy that prevents objects from being uploaded to an S3 bucket unless the request includes an x-amz-server-side encryption header indicating that server-side encryption is mandatory for this request. This helps enforce your S3 bucket policy by preventing unencrypted requests from being made.
Bucket Keys
Instead of using an individual KMS key for each KMS encrypted object, AWS S3 enables the use of bucket-level keys generated by AWS Key Management Service. Each bucket-level key generates a unique data key for each object added to the bucket, cutting down on traffic and processing required when requesting KMS services from AWS KMS.
Bucket-level keys can help reduce overall KMS expenses by granting access to objects already managed with different keys. This can be a considerable savings for applications accessing millions of objects each month, as it reduces the number of KMS requests required to complete encryption operations.
Key Management
Key management in S3 buckets allows you to encrypt and decrypt data with one of the strongest block ciphers available: 256-bit Advanced Encryption Standard (AES-256). Furthermore, different encryption algorithms – server-side or customer-provided – are available depending on how much control you want over the encryption and decryption process.
Enabling server-side encryption for a bucket on Amazon’s servers encrypts the contents with an AES-256 key generated at Amazon’s servers. This key can either be managed by AWS or KMS and unique to your application, with S3 then encrypting and decrypting data as it writes to disk or retrieves it using that same key.
S3 differs from SSE-C in that it stores the encryption keys and encrypted data keys within each object’s metadata. When your client needs access to an object, simply use its encrypted key and data key combination to unlock it and download its contents.
AWS provides predefined policies to encrypt your buckets and restrict client access. These are easy to implement and a great place to begin.
Simon Data, a customer data platform designed for growth, was facing high AWS Key Management Service (AWS KMS) costs due to requests from its clients to decrypt billions of objects stored in S3. To reduce these expenses and boost data access speed, they turned to AWS’ new Bucket Key feature.
Simon Data achieved significant cost-savings on their AWS KMS with Bucket Keys enabled, as requests from S3 to the KMS were reduced.
Simon Data needed to guarantee all objects stored in their buckets were encrypted using either an AWS-managed key, KMS-managed key, or both. To guarantee this, they created a bucket policy which stipulated all data uploaded must be encrypted using SSE-S3/AES265 or an alternative encryption algorithm.
They then implemented a bucket policy that restricted access to their encrypted buckets only to users with appropriate IAM privileges. Furthermore, they created a bucket-level key which they utilized for authentication and encryption operations.
Performance
Many businesses rely on S3 buckets for data storage and processing, but it can be susceptible to performance issues due to an inadequate architectural design pattern. To optimize S3 performance and guarantee your application utilizes the service efficiently, there are some steps you can take.
One of the most crucial considerations when storing large volumes of data in S3 buckets is latency. To reduce latency, try to minimize requests to S3 or implement a range HTTP header for GET operations that fetch different byte ranges from an object.
Another performance tip is to avoid sending the entire object in one request. Instead, make multiple concurrent requests to S3 with specific byte ranges and send the rest over different connections. Doing this can dramatically increase throughput from S3 by ten times or more.
Additionally, it’s wise to avoid retrying failed requests too many times and cache frequently-accessed content. These common architectural design patterns can help your application perform better with S3 storage and reduce latency.
Additionally, you should consider encrypting your S3 objects with AWS Key Management Services (KMS) to meet regulatory compliance standards like NIST, HIPAA, GDPR and PCI-DSS. This is considered a security best practice and by default S3 automatically encrypts new objects when uploaded to buckets through AWS KMS.
However, if you rely on KMS for encryption, the cost of transferring encrypted data between KMS and S3 can be significant. That is why AWS has implemented a feature that will reduce request traffic from S3 to KMS, thus decreasing encryption costs.
This is a simple fix that won’t require you to alter your application and will significantly boost the throughput of your S3 buckets. You can scale up or down according to how many compute clusters you have available, with no restrictions on how many prefixes can be used simultaneously.
