How to Secure S3 Objects with Amazon S3 Encryption

[Cloud Volumes ONTAP, Data Protection, AWS, Advanced, 7 minute read]

Data is at the core of business today, and data encryption offers a solid way to make sure that data stays secure. As one of the most popular storage services on AWS, Amazon S3 has several encryption methods available.

What are these Amazon S3 encryption methods and which one is the best for your organization? In this post we’ll review the basics of data encryption and show you how to enable several different Amazon S3 encryption methods that can help secure you object data, whether or not it’s in NetApp® Cloud Volumes ONTAP.

What is Data Encryption?

Data encryption is the process of converting raw data into a coded form to help ensure that only authorized parties can read it. Encryption often uses a “key” (usually a large number) stored separately from the data to ensure that only the key holder can read it. Data encryption is often required by regulations as well as internal security standards.

Data encryption protects your stored data against theft, ransomware attacks, and other security risks. If an attacker gets access or hold of your data, then they won’t be able to do anything with it unless they also get a hold of the key to unencrypt it. It cuts off one path to data breaches that increasingly make the news.

Amazon S3 Encryption Types

AWS has several offerings in the data encryption space. In addition to the Amazon S3 encryption offerings discussed here, Amazon Elastic Block Store (AWS EBS) encryption options are also available.

SSE Data Encryption

Within Amazon S3, Server Side Encryption (SSE) is the simplest data encryption option available. SSE encryption manages the heavy lifting of encryption on the AWS side, and falls into two types: SSE-S3 and SSE-C.

The SSE-S3 option lets AWS manage the key for you, which requires that you trust them with that information. With SSE-S3, you don’t have access to see or encrypt data using the key directly, but you can be assured that the raw data you own is encrypted at rest by AWS’s standard processes.

The SSE-C option similarly manages encryption and decryption of your data for you, but uses a key provided by you (the customer) and passed in to AWS with each request to encrypt or decrypt. AWS does not store your key with this method, so you are responsible for its safe keeping.

S3 Client-Side Data Encryption

S3 Client-Side Encryption puts all the responsibility for the encryption heavy lifting onto the user. Rather than allowing AWS to encrypt your data, you perform the encryption within your own data center and upload the encrypted data directly to AWS.

S3 Client-Side Encryption also comes in two options: server-side master key storage, and client-side master key storage.

In server-side master key storage, you can store your master key server-side in the AWS KMS (Key Management Service) service, and AWS will provide sophisticated key management software to manage sub-keys based on the master key that is used to encrypt your data.

In client-side master key storage, your master keys aren’t stored on AWS’s servers, and you take full responsibility for the encryption. Using this second approach is potentially the most secure, as your keys and data are never seen by Amazon servers in an unencrypted state. However, the level of security that you can achieve with this method depends on the integrity of your own processes and technology rather than AWS’s.

How to Set Up Amazon S3 Encryption

Now that we’ve discussed the different types of encryption, you can move onto encrypting your Amazon S3 objects. Here we will cover two methods: setting the encryption at the S3 bucket level, and at the S3 object level.

If you want all of the objects within your S3 bucket or buckets to be encrypted with the same encryption method, then the simplest thing to do is set your bucket or buckets to use that encryption method. If you have more fine-grained requirements, then it makes sense to set encryption directly at the object level.

Let’s walk through a simple example where we have a bucket whose objects we want to encrypt.How to Encrypt an Object in Amazon S3

1. Encrypting an object will start by logging into the AWS Console. For this example, we have a specific bucket called “s3-encryption-walkthrough” that has two unencrypted objects in it, object1 and object2, as seen in this screenshot:

image3-34

2. Both objects are unencrypted, and you can see that under Properties, the information in the Encryption field is showing “None” for object1. To encrypt object1, click on Actions, and then select “Change Encryption” from the drop-down menu:

image7

3. You then get another pop-up message that asks you what kind of encryption you want to set on the object:

image5

4. In this case we want to use S3 server-side encryption, so choose the “AES-256” option and hit “Save.” To confirm, click “Change” on the next screen that appears:

image4-45

5. Now if you click on object1 again, you’ll see that the under Properties object 1 is shown as encrypted with the AES-256 encryption standard:

image8

How to Encrypt an Amazon S3 Bucket

You have now encrypted object1, but object2 is still unencrypted. According to our policy we want all objects in this bucket to be encrypted, so we can try setting the bucket policy to encrypt all by default.

1. To encrypt a bucket, begin by clicking on the Properties tab, one tab over from the Overview tab:

image2-23

2. In the Properties tab, select “Default encryption” and choose your preferred encryption option:

image6

3. When you click “Save,” the entire bucket will now be encrypted. To confirm,  return to the Overview tab, and upload a new object (object3). Select object 3, and you will see that it has been encrypted on upload:

image1-235

Bucket Settings and Existing Objects

Even though your bucket is now automatically encrypting all objects that are uploaded to it, objects that existed before encryption was enabled are still unencrypted. In this scenario, object2 is still not encrypted.

Once you have set up your buckets according to your chosen policy, you now need to encrypt these pre-existing objects. To do this, you’ll first need to identify your unencrypted objects.

If you only have a few buckets with a couple of items in each to manage, this won’t be too onerous a task, and you can carry it out manually. However, if you have many hundreds or thousands of objects in your bucket, you may want to consider a couple of approaches that may help you save time hunting unencrypted buckets down.

AWS S3 Inventory

The first option is AWS S3 Inventory, part of the AWS Inventory toolset. This allows you to set up reports on your S3 objects. Unfortunately, this requires some setup on your part to get going, and only works at the bucket level. If you have multiple buckets to examine then you will have to set it up for each bucket.

The setup (documented here) involves setting up a policy for the source bucket, and a new bucket in which the report will be placed, as well as a frequency for the report to be generated.

Once produced, your source bucket’s inventory report will appear in the nominated destination bucket, and you can query the report using SQL using AWS Athena, or any other method that can read CSV format. This report will list all the unencrypted buckets that you can then go and encrypt using the method outlined above.

AWS CLI

The second option is to use the AWS command line interface to report on objects within your account. This will require some programming on your part to meet your requirements but will be more flexible and potentially less work overall if you have many buckets to audit.

Since AWS is an API-first service, it is also possible to automatically encrypt your S3 objects using the command line interface. Fuller discussion of this method is outside the scope of this article as it requires an ability to code a script to meet your needs.

Conclusion

There are many options available on AWS for data encryption, but when it comes to data security, the more the better. There’s an added level of security that can come with your AWS deployment using NetApp Cloud Volumes ONTAP.

Cloud Volumes ONTAP offers solutions to data security and many other operational cloud challenges, such as disaster recovery and data tiering between performant Amazon EBS volumes and capacity storage on S3. Read how Reach, publisher of the Daily Mirror, used Cloud Volumes ONTAP to protect their data in the cloud.

New call-to-action

-