使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Multi tenant s3 object isolation

0

Hi, We have a multi tenant application which stores objects in s3 - each tenant with their own prefix (foldrr). What would be the recommended solution for tenant data isolation for such application, assuming we want a dedicated key per tenant but not the overhead of a bucket per tenant (there are few thousands tenants)? Would it be dedicated data encryption key per tenant, all wrapped with a single aws kms key encryption key? If this is the case what would be the recommended pattern for serving objects to clients? Would it be a server side decryption using workload role and then sending back to client as a blob? Any other recommended patterns? Users are managed in cognito. The authorisation to access objects is based on application logic, not a cognito attribute or for specific iam users. Thanks

主題
SaaS on AWS
標籤
SaaS on AWS
語言
English
Oren
已提問 10 個月前檢視次數 551 次
3 個答案
1
已接受的答案

Implementation-wise, assuming that each tenant must have their own KMS independent key, you may need to leverage this at application level.

You can achieve it by S3 object level encryption via PUTObject request and providing different headers:

  • x-amz-server-side-encryption set this one to aws:kms
  • x-amz-server-side-encryption-aws-kms-key-id set this one to the key ID of the customer specific key

I am not aware that there is a native way.

profile picture
專家
Antonio_Lagrotteria
已回答 10 個月前
0

Take a look at this, Partitioning and Isolating Multi-Tenant SaaS Data with Amazon S3, for a discussion of the different approaches.

profile pictureAWS
專家
kentrad
已回答 10 個月前
profile picture
專家
Gary Mclean
已審閱 10 個月前
  • Oren
    10 個月前

    Thanks. I understand the alternatives mentioned in the article, but more wondering about implementation. As mentioned the bucket per tenant doesn’t fit us and we do want an encryption key per tenant due to customers’ compliance requirements.

    1. Is the best option then envelop encryption with DEK per tenant and a single KEK? Or is there a native aws mechanism that can achieve these requirements (ie us not writing code to handle encryption with DEK and KEK)?
    2. if this is the case what would be the recommended pattern for serving objects to clients? Would it be a backend server decryption using iam role and then sending back to client as a blob? Or any other recommended patterns?

    Thanks

  • kentrad 專家
    10 個月前

    I would look at Access Points for the each customer and the Access Point policy would restrict puts to the specific KMS key for each customer, explained below. The role that then accessed the data would need permission to access the folder objects and the KMS key. You could do that with a backend server or something like Cognito Identity pools.

0

Thanks a lot guys, very helpful!

Oren
已回答 9 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容