Amazon S3 Secutity Flashcards
(35 cards)
4 methods used to encrypt objects in S3 buckets?
- SSE-S3
- SSE-KMS
- SSE-C
- Client Side
How does “Server-Side Encryption with Amazon S3-Managed Keys” work?
SSE-S3 is enabled by default.
Encrypts S3 objects using keys handled. Managed and owned by AWS
How does “Server-Side Encryption with KMS Keys stored in AWS KMS” work?
SSE-KMS leverages AWS Key Management Service(AWSKMS) to manage encryption keys
How does Server-Side Encryption with Customer-Provided Keys work?
SSE-C is for when you want to manage your own encryption keys
What is DSSE-KMS ?
double encryption based on KMS
Features:
- Encryption using keys handled, managed, and owned by AWS
- Object is encrypted server-side
- Encryption type is AES-256
- Must set header “x-amz-server-side-encryption”: “AES256”
- Enabled by default for new buckets & new objects
Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
Features:
- Encryption using keys handled and managed by AWS KMS (Key Management Service)
- KMS advantages: user control + audit key usage using CloudTrail
- Object is encrypted server side
- Must set header “x-amz-server-side-encryption”: “aws:kms”
Server-Side Encryption with KMS Keys stored in AWS KMS (SSE-KMS)
Features:
- Server-Side Encryption using keys fully managed by the customer outside of AWS
- Amazon S3 does NOT store the encryption key you provide
- HTTPS must be used
- Encryption key must provided in HTTP headers, for every HTTP request made
Server-Side Encryption with Customer-Provided Keys (SSE-C)
What are these?
- If you use SSE-KMS, you may be impacted by the KMS limits
- When you upload, it calls the GenerateDataKey KMS API
- When you download, it calls the Decrypt KMS API
- Count towards the KMS quota per second (5500, 10000, 30000 req/s based on region)
- You can request a quota increase using the Service Quotas Console
SSE-KMS Limitations
Features:
- Use client libraries such as Amazon S3 Client-Side Encryption Library
- Clients must encrypt data themselves before sending to Amazon S3
- Clients must decrypt data themselves when retrieving from Amazon S3
- Customer fully manages the keys and encryption cycle
Client-Side Encryption
What is SSL/TLS
Encryption in flight
Which two endpoints does Amazon S3 exposes?
- HTTP Endpoint – non encrypted
- HTTPS Endpoint – encryption in flight
Which protocol is recommended?
HTTPS
Which encryption service has a mandatory protocol of HTTPS?
SSE-C
What kind of encryption is automatically applied to new objects stored in S3 bucket?
SSE-S3
How can you refuse any API call to PUT an S3 object without encryption headers (SSE-KMS or SSE-C)
You can “force encryption” using a bucket policy
What is Web Browser based mechanism to allow requests to other origins while visiting the main origin
Cross-Origin Resource Sharing (CORS)
What should be done if a client makes a cross-origin request on our S3 bucket?
Enable the correct CORS headers
What does MFA (Multi-Factor Authentication) do?
force users to generate a code on a device (usually a mobile phone or hardware) before doing important operations on S3
What two things will require MFA?
- Permanently delete an object version
- Suspend Versioning on the bucket
What two things won’t require MFA?
- Enable Versioning
- List deleted versions
What must be enable to use MFA Delete?
Versioning must be enabled on the bucket
Who can enable/disable MFA Delete?
Only the bucket owner (root account)
