Understanding inbuilt AWS S3 security controls and methods — Part 4
This article is the 4th and final part of a series of articles on Inbuilt AWS S3 security controls and methods. In this article, we focus on the encryption mechanisms available for AWS S3 resources.
If you are starting out on AWS S3 security, I highly recommend referring to the previous articles of this series starting from article 1.
AWS S3 provides several encryption mechanisms for their customers. You have to select between each of those mechanisms based on the use case and the criticality of the data you store in S3. Hence it's really important to understand what is happening behind the scenes and apply the correct encryption mechanism to secure your data. These can be mainly categorized as Server Side Encryption and Client Side Encryption.
We will first go through each of the Server Side Encryption mechanisms in detail.
1 — AWS Server Side Encryption with S3 Managed Keys (SSE-S3)
As announced on Jan 05th 2023, AWS will encrypt all new objects within all the buckets with SSE-S3 encryption unless another encryption mechanism was defined. You can read the announcement here — https://aws.amazon.com/blogs/aws/amazon-s3-encrypts-new-objects-by-default/
This is the new default and easiest-to-implement encryption method within AWS S3. All you have to do is enable this and AWS S3 will handle data encryption and decryption.
Underneath the following process occurs during the encryption and decryption process.
Encryption
1 — The client uploads data.
2 — On the S3 side a plain text S3 data key is generated and then data is encrypted with that key. The encrypted data object is then stored. This encryption is symmetric encryption.
3 — Then the plain text S3 data key is encrypted with S3 Master Key creating an encrypted S3 data key. Then that encrypted S3 data key is stored along with the encrypted object data and the plain text S3 data key is removed from memory.
Decryption
1 — The client requests data.
2 — On the S3 side, the encrypted data key associated with the object is taken and decrypted using the S3 Master Key to obtain the plain text S3 data key.
3 — The S3 plain text data key is then used to decrypt the encrypted object data and this object data is returned to the client.
2 — AWS Server Side Encryption with KMS Managed Keys (SSE-KMS)
This method allows S3 to use AWS KMS service to generate data encryption keys. This allows greater flexibility as you have complete control to disable, rotate apply access control to the client-managed master key used to generate encryption keys.
Underneath the following process occurs during the encryption and decryption process.
Encryption
1 — The client uploads the data
2 — S3 service then request data keys from KMS — Customer Master Key (CMK).
3 — On the KMS side the CMK generates the plaintext data key and the encrypted data key.
4 — Then both of those generated keys are passed to S3.
5 — Within S3. the data object is encrypted with the plain text data key and both the encrypted data object and the encrypted data key are stored on S3 while removing the plain text data key from memory.
Decryption
1 — Client requests data.
2 — S3 service will send the encrypted data key of the object to KMS.
3 — KMS will then decrypt the encrypted data key using the CMK and obtain the plain text data key.
4 — Plain text data will be returned back to S3.
5 — On the S3 side the plain text data key will be used to decrypt the encrypted data object.
6 — The decrypted data object will be sent back to the client.
3— AWS Server Side Encryption with Customer provided Keys (SSE-C)
This method gives you the ability to provide your own master key. Your master key would be sent with your data to S3 and S3 will use that key to perform encryption for you.
Encryption
1 — The client will send the object data along with the customer key to S3. This will only work via an HTTPS connection.
2 — On the S3 side, the data object is encrypted using the key sent by the customer. Also, a salted HMAC value of the key sent is created for future validation. Then both of the encrypted data object and salted HMAC value will be stored within S3. The customer key sent will be removed from the memory.
Decryption
1 — The client will request the data along with the customer key from S3. This will only work via an HTTPS connection.
2 — On the S3 side, the salted HMAC value of the customer key will be used to validate the customer key sent with the request. Once validated that customer key will be used to decrypt the encrypted object data.
3 — The object data will be returned to the customer.
We will now go through each of the Client Side Encryption mechanisms in detail.
1 — AWS Client Side Encryption with KMS managed keys (CSE-KMS)
This method uses AWS KMS to generate data encryption keys. The AWS KMS is called by the client and encryption happens on the client side. Then the encrypted object will be sent to S3.
Encryption
1 — The client will communicate with AWS KMS via an AWS SDK and request data keys. They need to pass the CMK-ID of the CMK stored within KMS with the request.
2 — On KMS, the CMK associated with the requested CMK-ID will be used to generate a plain text data key and cipher blob associated with the plain text data key.
3 — Both the plain text data key and cipher blob key will be sent to the client.
4 — On the client side the data object will be encrypted using the plain text data key received in the above step.
5 — Then the encrypted data and the cipher blob key are sent to S3.
6 — On S3, the encrypted data object will be stored. The cipher blob data key will be stored as metadata of the encrypted data object.
Decryption
1 — The client requests data
2 — S3 will then send the encrypted data and cipher blob key to the client.
3 — The client will then send the cipher blob key to AWS KMS using AWS SDK.
4 — The cipher blob key combined with the CMK, the associated plain text data key will be generated.
5 — The plaintext data key will then be sent to the client.
6 — On the client side, the plain text data key will be used to decrypt the encrypted object data received from S3.
2— AWS Client Side Encryption with Customer provided keys (CSE-C)
This method allows you to use your own key to encrypt data.
Encryption
1 — The data object will be encrypted using client generated plain text data key.
2 —Customer-managed CMK will be used to encrypt the client-generated plain text data key.
3 — The encrypted data from step 1 and the encrypted data key from step 2 will be sent to S3.
4 — Then the encrypted data object will be stored in S3 and the encrypted data key will be stored as metadata of the encrypted data object.
Decryption
1 — The client requests the data.
2 — S3 will send both the encrypted data object and the encrypted key back to the client.
3 — The client will then use the customer-managed CMK to generate the plain text data key by decrypting the encrypted data key.
4 — Then the plain text data key will be used to decrypt the encrypted data object.
This article series will come to an end with this article. Though our main focus was to discuss about inbuilt security controls and methods within S3, there are many other services within AWS which can be used to improve and manage the overall security of your S3 resources. These services include AWS Security Hub, AWS GuardDuty, AWS Macie, AWS Trusted Advisor etc… You can read more about the S3 security best practices in detail by visiting — https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html
AWS continuously takes measures to improve the security posture of AWS S3. But the customer also has a major responsibility in ensuring the security of their S3 resources are configured and managed with proper security controls and methods. I hope this article series helped you to understand the importance of that.
There are many other methods and controls that were not covered here and can be used to improve the security posture of AWS S3. Plus these concepts and controls are bound to be continuously updated for the better. Hence it's always better to refer to several resources and specifically official AWS documentation to have a more in-depth idea of AWS S3 security.
References
1 — https://docs.aws.amazon.com/AmazonS3/latest/userguide/security.html