By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What are the use cases for different S3 encryption options?

0

There are 4 options for S3 encryption: SSE-S3 / SSE-KMS / DSSE-KMS / SSE-C. What's the use case for them. For example, what is SSE-S3 protecting from? Malicious AWS employee? Somebody stealing physical disk from AWS data center? I don't see any protection for non-AWS employee. If a user has permissions to the bucket, they can access it; if not - not. Encryption is totally transparent. Obviously, with SSE-C the customer manages the keys; so it's protection against malicious AWS employee. But the other three are not clear. And the documentation is all about the mechanics, rather than security architecture.

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceSecurity, Identity, & ComplianceEncryption
Language
English
profile picture
virshu
asked 5 months ago672 views
3 Answers
0
Accepted Answer

Greetings! Understanding the different encryption options provided by Amazon S3 is crucial for implementing the appropriate level of security for your data. Here's an overview of the four encryption methods and their primary use cases in terms of security architecture:

SSE-S3 (Server-Side Encryption with Amazon S3-Managed Keys):

Use Case: This is a simple and integrated method where Amazon manages the encryption keys. It's best suited for users who want to ensure their data is encrypted at rest but do not require control over the encryption keys. Security Protection: SSE-S3 protects against unauthorized access to the physical storage media. For instance, if a disk were to be physically removed or stolen from an AWS data center, the data would remain encrypted and thus unreadable. SSE-KMS (Server-Side Encryption with AWS Key Management Service, Managed Keys):

Use Case: This option provides an additional layer of security by integrating with AWS Key Management Service (KMS), which allows for key rotation, centralized key management, and detailed access control over who can use the keys. Security Protection: In addition to protecting against physical theft, SSE-KMS adds protection against unauthorized access within AWS. It can safeguard against a scenario where someone with certain AWS permissions might access your data, as the key usage is logged and can be strictly controlled and audited. SSE-C (Server-Side Encryption with Customer-Provided Keys):

Use Case: This is for users who want to maintain control over their encryption keys but still utilize AWS for storing their data. The customer manages and provides their own encryption keys with each HTTP request. Security Protection: This method offers protection against both physical threats and insider threats at AWS, as AWS does not store or manage the keys. The customer has full control, mitigating risks associated with key management by AWS. CSE-KMS (Client-Side Encryption with AWS KMS Managed Keys):

Use Case: This method is for users who want to encrypt data client-side before uploading it to S3. It's useful when the user wants complete control over the encryption process and keys, using AWS KMS for key management. Security Protection: CSE-KMS protects the data throughout the transmission and storage process. Since encryption is done client-side, it provides a high level of security against both internal and external threats, including the scenario of a compromised AWS environment. To summarize, SSE-S3 and SSE-KMS offer protection primarily against physical threats and unauthorized internal access at AWS, with SSE-KMS providing enhanced key management and audit capabilities. SSE-C offers a higher level of security control, where the customer retains control over the encryption keys, thus protecting against both physical threats and potential insider threats at AWS. CSE-KMS provides the highest level of control to the customer, ensuring data is encrypted before it ever reaches AWS servers.

We also run Immersion Days for S3 Security best practices that can help you to identify the differences and dive deeper,

https://catalog.us-east-1.prod.workshops.aws/workshops/74237958-77c8-4e7f-a02f-ae201a04d759/en-US

Please let me know if i answered your question

AWS
EXPERT
ZJon
answered 5 months ago
  • virshu
    5 months ago

    Thanks. It is certainly better than AWS documentation. I think it for the most part confirms my guess; but it's good to have such confirmation from AWS person.

  • ZJon EXPERT
    5 months ago

    virshu, please select my answer as Accepted Answer if it helped :) Thank you

0

SSE-S3 (Server-Side Encryption with Amazon S3-Managed Keys): This is the most straightforward option. AWS handles the encryption and decryption with keys it manages. It's a good fit for general use cases where simplicity is a priority. It provides protection against raw data being exposed in the event of unauthorized physical access to the hardware.

SSE-KMS (Server-Side Encryption with AWS Key Management Service): This offers more control and audit trails over the keys used to encrypt your data. With SSE-KMS, you can either use a default service-managed key for encryption or specify a customer-managed key. It's useful when compliance requirements demand more control and visibility into the encryption keys.

**DSSE-KMS (S3 Object Ownership with AWS Key Management Service): **This is a newer option. The bucket key feature reduces the cost of SSE-KMS by limiting the number of requests to KMS. It's applicable when you have many objects in a bucket and are concerned about costs.

SSE-C (Server-Side Encryption with Customer-Provided Keys): You manage the encryption keys in this case, and you must provide them for every PUT and GET request. This is useful when you want to maintain full control over your keys, such as for specific compliance or regulatory requirements.

Hope this clarifies.

While encryption protects against physical theft of the storage device or a malicious AWS employee, it’s also part of a defense-in-depth strategy. Even if a user has bucket permissions, additional layers of security like encryption can provide important safeguards.

However, you're right in noting that encryption doesn't directly safeguard against incorrect permissions or misconfigured buckets. For that, you'd need to ensure your bucket policies, IAM policies, and Access Control Lists (ACLs) are correctly set up. Tools like AWS Macie can help identify potential misconfigurations or overly permissive policies.

Sasidhar
answered 5 months ago
  • virshu
    5 months ago

    Thank you Sasidhar. I probably should have mentioned that I read documentation before I posted the question; I even put a link in the question. To summarize your response: SSE-S3 - provides protection against raw data being exposed in the event of unauthorized physical access to the hardware. Seriously? That's it? D/SSE-KMS useful when compliance requirements demand... no idea what you mean SSE-C - thank you for confirming what I said.

    If a user has bucket permissions, additional layers of security like encryption can provide important safeguards - only in SSE-C case

0

virshu, please select my answer as Accepted Answer if it helped :) Thank you

AWS
EXPERT
ZJon
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content