All you need to know about encrypting AWS S3 buckets

Рет қаралды 13,064

Күн бұрын

Dance like nobody's watching, encrypt like everyone is. Learn how to enable S3 default encryption. But that's not enough. A bucket policy ensures all uploaded objects comply with your encryption standard. On top of that, you will learn how to avoid insane costs by enabling bucket keys.
Interested in more? Check out the blog post: cloudonaut.io/all-you-need-to...
Support us:
Have you learned something new by reading, listening, or watching our content? If so, we kindly ask you to support us in producing high-quality & independent AWS content. We look forward to sharing our AWS knowledge with you. cloudonaut.io/support-us/
Chapters:
00:00 - Intro
00:45 - What to expect
01:40 - Demo: S3 Default Encryption
03:42 - S3 Encryption
06:41 - Demo: S3 Bucket Policy
11:55 - Costs for S3 Encryption
12:47 - Demo: S3 Bucket Keys
13:36 - Wrap Up
#aws #amazonwebservice #cloudcomputing #cloudonaut #s3bucket #s3 #encrypting

Пікірлер: 23

@andriys5772 2 жыл бұрын

Thank you!

@malikshamim7034 2 жыл бұрын

Thanks alot ,please create a video on these gateways like virtual private gateway ,transit gateway , border gateway ,customer gateway , interface endpoint ,gateway endpoint , vpc endpoints ,these concepts are really confusing

@cloudonaut 2 жыл бұрын

Thanks a lot for your feedback. Will add your content wishes into our backlog.

@oleksandrlytvyn532 Жыл бұрын

Thanks

@cloudonaut Жыл бұрын

You are welcome!

@putinaspiliponis6428 2 жыл бұрын

What are security considerations for SSE-KMS bucket keys versus object keys? I kinda got the impression that in the case of "bucket key" the original requestor entity doesn't have to be granted specifically to use a specific KMS key.

@cloudonaut 2 жыл бұрын

bucket keys are much cheaper in terms of KMS API calls. The only change is that all objects are encrypted with the same key. Which makes sense anyways.

@sarulatha7374 2 жыл бұрын

Hi Thanks a lot for this video. Could you please make a video how to encrypt and decrypt the files using AWS KMS

@cloudonaut 2 жыл бұрын

Good point, will add that to our TODO list. :)

@brunocardoso8277 2 жыл бұрын

Hi, thanks for the content. if I may ask a question, how can i write the policies for SSE-S3 encryptions? I tried some, but when I set nothing in the header its was rejecting all my requests from a Java Client. Thanks

@cloudonaut 2 жыл бұрын

I'd say, replacing s3:x-amz-server-side-encryption-aws-kms-key-id: !GetAtt 'Key.Arn' from our example with "s3:x-amz-server-side-encryption": "AES256" should do the trick.

@Niko-kf1gt Жыл бұрын

I have couple of s3 buckets where the default encryption is turned on by default (SS3-S3) but for some reason some objects are showing as unencrypted. I wonder if we can encrypt after an object has been uploaded , if I go to the object and try to edit the server-side encryption it says I don't have permission.

@cloudonaut Жыл бұрын

The default encryption does only apply when creating or updating/replacing an object. The setting does not affect objects, that have been created before.

@raze5 2 жыл бұрын

What you think would be reasons to NOT to enable bucket key? But choosing more expensive key instead?

@cloudonaut 2 жыл бұрын

I don't see a good reason. All other services use similar optimizations to reduce kms requests.

@thatguynick7992 10 ай бұрын

Is there an updated version of this content. Currently there isn’t an option to enable and disable encryption. SSE-S3 is default

@cloudonaut 10 ай бұрын

Correct, S3 buckets are encrypted by default those days. Up until know, we haven't recorded an updated video yet.

@RahulAhire 2 жыл бұрын

How can I verify that the objects are actually encrypted.

@cloudonaut 2 жыл бұрын

What do you mean by "verify that the objects are actually encrypted"? As the de/encryption happens on-the-fly you have to trust AWS and their security/quality certifications, that the encryption is working. All you can do is the check the details of an object to check which encryption was applied.

@RahulAhire 2 жыл бұрын

@@cloudonaut whenever I access the encrypted files in console or preview it, I get it in its original form. Let's says there's a hack (or there's a raid by police) that my system faced and by mistakenly I allow read access. How can I see if the encryption is working. When I encryption a text file locally it automatically turns into something random.