AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Multi tenant s3 object isolation

0

Hi, We have a multi tenant application which stores objects in s3 - each tenant with their own prefix (foldrr). What would be the recommended solution for tenant data isolation for such application, assuming we want a dedicated key per tenant but not the overhead of a bucket per tenant (there are few thousands tenants)? Would it be dedicated data encryption key per tenant, all wrapped with a single aws kms key encryption key? If this is the case what would be the recommended pattern for serving objects to clients? Would it be a server side decryption using workload role and then sending back to client as a blob? Any other recommended patterns? Users are managed in cognito. The authorisation to access objects is based on application logic, not a cognito attribute or for specific iam users. Thanks

주제
AWS의 SaaS
태그
AWS의 SaaS
언어
English
Oren
질문됨 10달 전551회 조회
3개 답변
1
수락된 답변

Implementation-wise, assuming that each tenant must have their own KMS independent key, you may need to leverage this at application level.

You can achieve it by S3 object level encryption via PUTObject request and providing different headers:

  • x-amz-server-side-encryption set this one to aws:kms
  • x-amz-server-side-encryption-aws-kms-key-id set this one to the key ID of the customer specific key

I am not aware that there is a native way.

profile picture
전문가
Antonio_Lagrotteria
답변함 10달 전
0

Take a look at this, Partitioning and Isolating Multi-Tenant SaaS Data with Amazon S3, for a discussion of the different approaches.

profile pictureAWS
전문가
kentrad
답변함 10달 전
profile picture
전문가
Gary Mclean
검토됨 10달 전
  • Oren
    10달 전

    Thanks. I understand the alternatives mentioned in the article, but more wondering about implementation. As mentioned the bucket per tenant doesn’t fit us and we do want an encryption key per tenant due to customers’ compliance requirements.

    1. Is the best option then envelop encryption with DEK per tenant and a single KEK? Or is there a native aws mechanism that can achieve these requirements (ie us not writing code to handle encryption with DEK and KEK)?
    2. if this is the case what would be the recommended pattern for serving objects to clients? Would it be a backend server decryption using iam role and then sending back to client as a blob? Or any other recommended patterns?

    Thanks

  • kentrad 전문가
    10달 전

    I would look at Access Points for the each customer and the Access Point policy would restrict puts to the specific KMS key for each customer, explained below. The role that then accessed the data would need permission to access the folder objects and the KMS key. You could do that with a backend server or something like Cognito Identity pools.

0

Thanks a lot guys, very helpful!

Oren
답변함 9달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠