Skip to content

S3 Encryption

There are two types of encryption:

  • In Transit -SSL/TLS
  • At Rest
    • Server-Side Encryption
      • S3 Managed Keys - SSE-S3
      • AWS Key Management Service, Managed Keys, S3-KMS
      • Server-Side Encryption with Customer Provider Keys - SSE-C
  • Client Side Encryption: You encrypt the files yourself prior to uploading to S3

Enforcing Encryption on S3 Buckets

  • Every time a file is uploaded to S3, a PUT request is initiated.
  • This is what a PUT request looks like:
PUT /myFile HTTP/1.1
HOST: myBucket.s3.amazonaws.com
Date: Wed, 25 Apr 2018 09:50:00 GMT
Authorization: authorization string
Content-Type: text/plain
Content-Length: 27364
x-amz-meta-author: Faye
Expect: 100-continue
[27364 bytes of object data]
  • If the file is to be encrypted at upload time, the x-amz-server-side-encryption parameter will be included in the request header.
  • Two options are currently available:
    • x-amz-server-side-encryption: AES256 (SSE-S3 - S3 managed keys)
    • x-amz-server-side-encryption: aws:kms (SSE-KMS - KMS managed keys)
  • When this parameter is included in the header of the PUT request, it tells S3 to encrypt the object at the time of upload, using the specific encryption method.
  • You can enforce the use of Server-Side Encryption by using a Bucket Policy, which denies any S3 put requests which doesn't include the x-amz-server-side-encryption parameter in the request header.

The following request tells S3 to encrypt the file using SSE-S3 (AES 256) at the time of upload:

PUT /myFile HTTP/1.1
HOST: myBucket.s3.amazonaws.com
Date: Wed, 25 Apr 2018 09:50:00 GMT
Authorization: authorization string
Content-Type: text/plain
Content-Length: 27364
x-amz-meta-author: Faye
Expect: 100-continue
x-amz-server-side-encryption: AES256
[27364 bytes of object data]