All you need to know about encrypting AWS S3 buckets

Рет қаралды 13,279

cloudonaut

Күн бұрын

Пікірлер: 23

@andriys5772 3 жыл бұрын

Thank you!

@malikshamim7034 2 жыл бұрын

Thanks alot ,please create a video on these gateways like virtual private gateway ,transit gateway , border gateway ,customer gateway , interface endpoint ,gateway endpoint , vpc endpoints ,these concepts are really confusing

@cloudonaut 2 жыл бұрын

Thanks a lot for your feedback. Will add your content wishes into our backlog.

@oleksandrlytvyn532 Жыл бұрын

Thanks

@cloudonaut Жыл бұрын

You are welcome!

@raze5 2 жыл бұрын

What you think would be reasons to NOT to enable bucket key? But choosing more expensive key instead?

@cloudonaut 2 жыл бұрын

I don't see a good reason. All other services use similar optimizations to reduce kms requests.

@putinaspiliponis6428 2 жыл бұрын

What are security considerations for SSE-KMS bucket keys versus object keys? I kinda got the impression that in the case of "bucket key" the original requestor entity doesn't have to be granted specifically to use a specific KMS key.

@cloudonaut 2 жыл бұрын

bucket keys are much cheaper in terms of KMS API calls. The only change is that all objects are encrypted with the same key. Which makes sense anyways.

@thatguynick7992 Жыл бұрын

Is there an updated version of this content. Currently there isn’t an option to enable and disable encryption. SSE-S3 is default

@cloudonaut Жыл бұрын

Correct, S3 buckets are encrypted by default those days. Up until know, we haven't recorded an updated video yet.

@sarulatha7374 2 жыл бұрын

Hi Thanks a lot for this video. Could you please make a video how to encrypt and decrypt the files using AWS KMS

@cloudonaut 2 жыл бұрын

Good point, will add that to our TODO list. :)

@brunocardoso8277 2 жыл бұрын

Hi, thanks for the content. if I may ask a question, how can i write the policies for SSE-S3 encryptions? I tried some, but when I set nothing in the header its was rejecting all my requests from a Java Client. Thanks

@cloudonaut 2 жыл бұрын

I'd say, replacing s3:x-amz-server-side-encryption-aws-kms-key-id: !GetAtt 'Key.Arn' from our example with "s3:x-amz-server-side-encryption": "AES256" should do the trick.

@Niko-kf1gt 2 жыл бұрын

I have couple of s3 buckets where the default encryption is turned on by default (SS3-S3) but for some reason some objects are showing as unencrypted. I wonder if we can encrypt after an object has been uploaded , if I go to the object and try to edit the server-side encryption it says I don't have permission.

@cloudonaut 2 жыл бұрын

The default encryption does only apply when creating or updating/replacing an object. The setting does not affect objects, that have been created before.

@RahulAhire 2 жыл бұрын

How can I verify that the objects are actually encrypted.

@cloudonaut 2 жыл бұрын

What do you mean by "verify that the objects are actually encrypted"? As the de/encryption happens on-the-fly you have to trust AWS and their security/quality certifications, that the encryption is working. All you can do is the check the details of an object to check which encryption was applied.

@RahulAhire 2 жыл бұрын

@@cloudonaut whenever I access the encrypted files in console or preview it, I get it in its original form. Let's says there's a hack (or there's a raid by police) that my system faced and by mistakenly I allow read access. How can I see if the encryption is working. When I encryption a text file locally it automatically turns into something random.