S3 7

Question 1

Encryption: SSE-C

How does SSE-C work?

Answer 1

SDK sends key and object to server. Key encrypts object. S3 doesn’t keep the key.

Question 2

Encryption: SSE-C

What is stored with the encrypted object data with SSE-C?

Answer 2

HMAC salted value – marks which customer-provided key was used to encrypt the object

Question 3

Encryption: SSE-C

What happens if you send the wrong key to SSE-C GetObject?

Answer 3

Rejected: S3 holds hash of the key used to encrypt. It knows it’s the wrong key.

Question 4

Encryption: client-side

2 business cases for using client-side encryption?

Answer 4

AWS can’t hold keys, requirement to encrypt before it leaves your premesis.

Question 5

Encryption: client-side

Where is encryption/decryption done with client-side encryption?

Answer 5

Strictly on the client (S3 itself doesn’t know or do any part of it)

Question 6

Encryption: client-side

What does an object look like with client-side encryption?

Answer 6

Like any other S3 object (no keys stored with it, not marked “encrypted”).

Question 7

Encryption: client-side

On the AWS console, how can you tell if an object was client-side encrypted?

Answer 7

Can’t: there is no server-side mark or logic, completely client-side.

Question 8

Encryption: client-side

What do you use client-side to do client-side encryption?

Answer 8

The Amazon S3 Encryption Client

Question 9

Encryption: client-side

Why bother with the S3 client library?

Answer 9

It handles generating keys and doing encryption/decryption for you.

Question 10

Encryption: client-side

Two kinds of client-side encryption?

Answer 10

BYOC (CSE-C) and use KMS key as wrapper (CSE-KMS)

Question 11

Encryption: client-side

What does the S3 Encryption Client do on PutObject?

Answer 11

Ask KMS for DEK, get un- and encrypted version of a DEK

Question 12

misc.

What is “MFA Delete”?

Answer 12

Policy setting: have to MFA auth to switch enabled/disabled versioning or to delete a VERSION via ID.