Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Multi tenant s3 object isolation

0

Hi, We have a multi tenant application which stores objects in s3 - each tenant with their own prefix (foldrr). What would be the recommended solution for tenant data isolation for such application, assuming we want a dedicated key per tenant but not the overhead of a bucket per tenant (there are few thousands tenants)? Would it be dedicated data encryption key per tenant, all wrapped with a single aws kms key encryption key? If this is the case what would be the recommended pattern for serving objects to clients? Would it be a server side decryption using workload role and then sending back to client as a blob? Any other recommended patterns? Users are managed in cognito. The authorisation to access objects is based on application logic, not a cognito attribute or for specific iam users. Thanks

Argomenti
SaaS su AWS
Tag
SaaS su AWS
Lingua
English
Oren
posta 10 mesi fa550 visualizzazioni
3 Risposte
1
Risposta accettata

Implementation-wise, assuming that each tenant must have their own KMS independent key, you may need to leverage this at application level.

You can achieve it by S3 object level encryption via PUTObject request and providing different headers:

  • x-amz-server-side-encryption set this one to aws:kms
  • x-amz-server-side-encryption-aws-kms-key-id set this one to the key ID of the customer specific key

I am not aware that there is a native way.

profile picture
ESPERTO
Antonio_Lagrotteria
con risposta 10 mesi fa
0

Take a look at this, Partitioning and Isolating Multi-Tenant SaaS Data with Amazon S3, for a discussion of the different approaches.

profile pictureAWS
ESPERTO
kentrad
con risposta 10 mesi fa
profile picture
ESPERTO
Gary Mclean
verificato 10 mesi fa
  • Oren
    10 mesi fa

    Thanks. I understand the alternatives mentioned in the article, but more wondering about implementation. As mentioned the bucket per tenant doesn’t fit us and we do want an encryption key per tenant due to customers’ compliance requirements.

    1. Is the best option then envelop encryption with DEK per tenant and a single KEK? Or is there a native aws mechanism that can achieve these requirements (ie us not writing code to handle encryption with DEK and KEK)?
    2. if this is the case what would be the recommended pattern for serving objects to clients? Would it be a backend server decryption using iam role and then sending back to client as a blob? Or any other recommended patterns?

    Thanks

  • kentrad ESPERTO
    10 mesi fa

    I would look at Access Points for the each customer and the Access Point policy would restrict puts to the specific KMS key for each customer, explained below. The role that then accessed the data would need permission to access the folder objects and the KMS key. You could do that with a backend server or something like Cognito Identity pools.

0

Thanks a lot guys, very helpful!

Oren
con risposta 9 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente