With the recent news about data breaches from Amazon S3 buckets, largely resulting from customer mis-configuring their environment, we thought it would be a good time to talk about S3 security and data encryption. S3 offers many security features and Amazon is getting better at explaining how these features work, but there is much unstated. If you've spent any time rummaging around AWS documents, you already know answers to many simple questions are not there. So here we'll take a look at the basics around S3 bucket encryption and how best to use it.
Amazon offers what is called 'Server Side Encryption' for S3, or if you are looking at an S3 bucket in the AWS console, it will be called 'Default encryption' under the properties sheet. You can enable encryption simply by toggling a button in the UI and telling AWS how you would like the key to be managed. One option is AES-256 keys managed per bucket, and the other option is allow KMS -- the AWS Key Management Service -- handle key management for you. Or you can enable these settings via an API call as well.
Server side encryption works much like Transparent Disk Encryption your already familiar with. If S3 receives a valid request to write a file, and the user is authorized to access that bucket, then as the file is written into S3 the data is encrypted. Conversely, if S3 receives a valid read request, and the user is allowed read access to that bucket, the requested object is decrypted and passed to the user. The key will either be provided by the S3 service or the KMS service. Keep in mind that with TDE style encryption, any user who has specific access rights to a file will be provided unencrypted objects upon request.
So, what threats does this help you address?
For most AWS users, this is incredibly compelling as there is no charge for default encryption, does not create a lot of latency and provides some basic protections. That said, there are very good reasons to supplement what AWS -- or any cloud vendor -- provides for storage encryption. For example:
All said, AWS security in general -- and S3 security specifically -- is really good out of the box. Recently reported S3 'breaches' arise either from a simple mistake in access settings or a misunderstanding of how S3 security works, NOT security deficiencies in the Amazon infrastructure. If you couple the proper type of data encryption with IAM policies for user access, and bucket policies to tie network access to only known locations, your data is secure. For additional protection for scenarios like secure data movement between clouds and GDPR compliance, the AWS ecosystem has third party capabilities to supplement this security.
Adrian Lane is an analyst and CTO at Securosis, a security research and advisory firm. He brings over 22 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and software development. Having worked at Ingres, Oracle, and Unisys, he has extensive experience in the vendor community, but brings a pragmatic perspective to selecting and deploying technologies having worked on “the other side” as CIO in the finance vertical. He can be reached at alane (at) securosis (dot) com.