How to Decrypt S3 content while serving through the Cloudfront.


I am aware of this post But it doesnt say anything about SSE-C type of encryption.

My implementation was, I am using AWS KMS to create DEK for each folder and save the wrapped DEK in DB / S3 for further use. Now if I want to decrypt this content while serving through cloudfront, what is the approach.

2 Answers
Accepted Answer

To serve S3 content encrypted with SSE-C through CloudFront, you can use a Lambda@Edge function to handle the encryption keys. Here's a high-level approach to how you could set this up:

Create a Lambda@Edge Function:

Implement a Lambda@Edge function that will be triggered on viewer request events. This function should:

  • Retrieve the encrypted Data Encryption Keys (DEK) for the requested object from your DB or S3.
  • Decrypt the DEK using AWS KMS.
  • Add the decrypted DEK as the x-amz-server-side-encryption-customer-key header in the request forwarded to S3.

Deploy the Lambda@Edge Function:

Deploy your Lambda@Edge function to AWS Lambda, and associate the function with your CloudFront distribution, and ensure that the function has the necessary permissions to:

  • Access the DEKs from your DB/S3.
  • Decrypt keys using AWS KMS.
  • Write logs to CloudWatch for monitoring and debugging.

Configure CloudFront: Configure your CloudFront distribution to trigger the Lambda@Edge function on viewer request events. Ensure your S3 bucket policy allows access from CloudFront with the necessary SSE-C headers.

If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!

profile picture
answered 4 months ago
profile picture
reviewed 2 months ago
profile pictureAWS
reviewed 4 months ago

Thank you for the quick response.

Continuing to that, I have couple of other questions, it would be a great help if you can answer.

  1. How do I encrypt the existing S3 objects by providing separate DEK for each folder, because AWS Batch doesn't seem to have that option.
  2. And replication, in case of disaster
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions