S3 Encryption Flashcards
What is Client-Side Encryption in the context of Amazon S3?
Client-Side Encryption is the process of encrypting data before it is transmitted to Amazon S3. The encryption and decryption are performed on the client’s side, and the client manages the encryption keys.
What is Server-Side Encryption with Customer-Provided Keys (SSE-C)?
SSE-C is a method where Amazon S3 performs the encryption and decryption of objects while the customer provides and manages the encryption keys. The key must be provided in each request to access the encrypted object.
What is Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)?
SSE-S3 is an encryption method where Amazon S3 automatically handles the encryption, decryption, and security of the encryption keys. It uses AES-256 encryption algorithm and manages the keys internally.
What is Server-Side Encryption with AWS Key Management Service (SSE-KMS)?
SSE-KMS includes the benefits of SSE-S3 but with additional security controls and audit trail features provided by AWS KMS. It enables customers to use AWS-managed keys or customer-managed keys in KMS for encryption.
How does the default bucket encryption setting improve S3 security?
Default bucket encryption automatically encrypts all new objects stored in the bucket without requiring any explicit action from the user. It ensures that all data is encrypted at rest, enhancing the security posture of the bucket.
How does SSE-KMS enhance security compared to SSE-S3?
SSE-KMS enhances security by providing an audit trail that shows when and by whom each key was used. It also offers additional controls, such as the ability to create, rotate, disable, and define permissions on encryption keys.
Can Client-Side Encryption be combined with Server-Side Encryption?
Yes, Client-Side Encryption can be combined with Server-Side Encryption for double layer security. The data is encrypted on the client’s side and then encrypted again when stored in S3. However, this is only typically necessary for highly sensitive data as it adds complexity.
How does SSE-KMS achieve role separation?
SSE-KMS achieves role separation by leveraging AWS KMS, which allows for creating and controlling access to encryption keys. Different IAM policies can be attached to different roles, limiting who can manage keys and who can access the encrypted data, effectively separating data management and security roles.
What are the implications of using SSE-C for object access?
Using SSE-C requires that the encryption key be provided for each HTTP request to access the encrypted objects. This method provides strong security but increases operational complexity since the customer must securely manage and use the encryption keys.
Why might an organization prefer using SSE-KMS over SSE-S3 for encryption?
An organization might prefer SSE-KMS over SSE-S3 for its additional key management features, audit capabilities, and the ability to control and rotate encryption keys. It offers a balance of automation and control, making it suitable for compliance-driven environments.
