Encryption on any system requires three components:
(1) data to encrypt
(2) a method to encrypt the data using a cryptographic algorithm(AES)
(3) encryption keys to be used in conjunction with the data and the algorithm.
S3 supports encryption of data in transit and at rest.
The data at transit will be encrypted using SSL. For data at rest, you can encrypt using below options.
Server Side Encryption
How it works:
SSE- S3 (Server Side Encryption): Amazon handles key management and key protection using multiple layers of security.
In this model, data is encrypted before it is written to disk in Amazon S3. Each object is encrypted with a unique data key. As an additional safeguard, this key is encrypted with a periodically rotated master key(encrypted data key) managed by Amazon S3.
SSE – KMS (Key Management Service) : You can use AWS KMS to manage your encryption keys. It provides an audit trail so you can see who used your key to access which object and when, as well as view failed attempts to access data from users without permission to decrypt the data.
SSE-C (Customer provided keys) : You can use your own encryption key while uploading an object to Amazon S3.This encryption key is used by Amazon S3 to encrypt your data.
When you retrieve this object from Amazon S3, you must provide the same encryption key in your request. Amazon S3 verifies that the encryption key matches, decrypts the object, and returns the object to you.
Client Side Encryption:
You encrypt the files in your end using your preferred encryption types and then upload the encrypted filed to S3.
Scenarios – When to use:
Understanding of the given scenario is very important in the examination. You’ll be given a scenario for encrypting the files and you’ve to choose the right answer based upon the requirements and keywords mentioned.
Amazon handles the encryption/decryption and keys:
SSE – S3 is the right option for this scenario. You needn’t to worry about encryption/decryption or keys, let AWS handles everything by themselves.
You want to manage/take hold of keys:
SSE-C is the right option for this scenario. AWS handles the encryption/decryption, whereas you’ll be managing the keys.
You manage your keys and also wants to track who’s using your key/attempting to decrypt files without your permission:
SSE-KMS is the right option for this scenario. It provides an audit trail so you can see who used your key to access which object and when, as well as view failed attempts to access data from users without permission to decrypt the data.
Note: You can’t apply different types of server-side encryption to the same object simultaneously.