Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Multi tenant s3 object isolation

0

Hi, We have a multi tenant application which stores objects in s3 - each tenant with their own prefix (foldrr). What would be the recommended solution for tenant data isolation for such application, assuming we want a dedicated key per tenant but not the overhead of a bucket per tenant (there are few thousands tenants)? Would it be dedicated data encryption key per tenant, all wrapped with a single aws kms key encryption key? If this is the case what would be the recommended pattern for serving objects to clients? Would it be a server side decryption using workload role and then sending back to client as a blob? Any other recommended patterns? Users are managed in cognito. The authorisation to access objects is based on application logic, not a cognito attribute or for specific iam users. Thanks

Temas
SaaS en AWS
Etiquetas
SaaS en AWS
Idioma
English
Oren
preguntada hace 10 meses551 visualizaciones
3 Respuestas
1
Respuesta aceptada

Implementation-wise, assuming that each tenant must have their own KMS independent key, you may need to leverage this at application level.

You can achieve it by S3 object level encryption via PUTObject request and providing different headers:

  • x-amz-server-side-encryption set this one to aws:kms
  • x-amz-server-side-encryption-aws-kms-key-id set this one to the key ID of the customer specific key

I am not aware that there is a native way.

profile picture
EXPERTO
Antonio_Lagrotteria
respondido hace 10 meses
0

Take a look at this, Partitioning and Isolating Multi-Tenant SaaS Data with Amazon S3, for a discussion of the different approaches.

profile pictureAWS
EXPERTO
kentrad
respondido hace 10 meses
profile picture
EXPERTO
Gary Mclean
revisado hace 10 meses
  • Oren
    hace 10 meses

    Thanks. I understand the alternatives mentioned in the article, but more wondering about implementation. As mentioned the bucket per tenant doesn’t fit us and we do want an encryption key per tenant due to customers’ compliance requirements.

    1. Is the best option then envelop encryption with DEK per tenant and a single KEK? Or is there a native aws mechanism that can achieve these requirements (ie us not writing code to handle encryption with DEK and KEK)?
    2. if this is the case what would be the recommended pattern for serving objects to clients? Would it be a backend server decryption using iam role and then sending back to client as a blob? Or any other recommended patterns?

    Thanks

  • kentrad EXPERTO
    hace 10 meses

    I would look at Access Points for the each customer and the Access Point policy would restrict puts to the specific KMS key for each customer, explained below. The role that then accessed the data would need permission to access the folder objects and the KMS key. You could do that with a backend server or something like Cognito Identity pools.

0

Thanks a lot guys, very helpful!

Oren
respondido hace 9 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante