Multi tenant s3 object isolation

0

Hi, We have a multi tenant application which stores objects in s3 - each tenant with their own prefix (foldrr). What would be the recommended solution for tenant data isolation for such application, assuming we want a dedicated key per tenant but not the overhead of a bucket per tenant (there are few thousands tenants)? Would it be dedicated data encryption key per tenant, all wrapped with a single aws kms key encryption key? If this is the case what would be the recommended pattern for serving objects to clients? Would it be a server side decryption using workload role and then sending back to client as a blob? Any other recommended patterns? Users are managed in cognito. The authorisation to access objects is based on application logic, not a cognito attribute or for specific iam users. Thanks

Oren
gefragt vor 10 Monaten551 Aufrufe
3 Antworten
1
Akzeptierte Antwort

Implementation-wise, assuming that each tenant must have their own KMS independent key, you may need to leverage this at application level.

You can achieve it by S3 object level encryption via PUTObject request and providing different headers:

  • x-amz-server-side-encryption set this one to aws:kms
  • x-amz-server-side-encryption-aws-kms-key-id set this one to the key ID of the customer specific key

I am not aware that there is a native way.

profile picture
EXPERTE
beantwortet vor 10 Monaten
0

Take a look at this, Partitioning and Isolating Multi-Tenant SaaS Data with Amazon S3, for a discussion of the different approaches.

profile pictureAWS
EXPERTE
kentrad
beantwortet vor 10 Monaten
profile picture
EXPERTE
überprüft vor 10 Monaten
  • Thanks. I understand the alternatives mentioned in the article, but more wondering about implementation. As mentioned the bucket per tenant doesn’t fit us and we do want an encryption key per tenant due to customers’ compliance requirements.

    1. Is the best option then envelop encryption with DEK per tenant and a single KEK? Or is there a native aws mechanism that can achieve these requirements (ie us not writing code to handle encryption with DEK and KEK)?
    2. if this is the case what would be the recommended pattern for serving objects to clients? Would it be a backend server decryption using iam role and then sending back to client as a blob? Or any other recommended patterns?

    Thanks

  • I would look at Access Points for the each customer and the Access Point policy would restrict puts to the specific KMS key for each customer, explained below. The role that then accessed the data would need permission to access the folder objects and the KMS key. You could do that with a backend server or something like Cognito Identity pools.

0

Thanks a lot guys, very helpful!

Oren
beantwortet vor 9 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen