I’ve been playing around with AWS security and as an output, I’ve gotten up to speed with their S3 encryption options. I thought I’d do a quick hit to share what I learned. AWS offers two high-level options for encryption – Server Side Encryption (SSE) and Client Side Encryption. SSE is encryption handled by AWS. As it hints in the name client side encryption is dealt with by the consumer of S3 storage. It’s important to note that it’s the consumer of S3 storage. So, an EC2 instance performing encryption is considered client side encryption.
Most of the options around SSE encryption surround options around key management. For SSE encryption, there are two major components, the Customer Master Key (CMK) and the object encryption key. In a traditional encryption scheme, you compare the CMK to a private key. The big difference is that CMK is limited to the ability to encrypt 4 kilobytes of data. So, the CMK is used to encrypt data keys which in turn are used to encrypt data. AWS offers three models around CMK management.
SSE-S3 – This is the simple option. AWS manages the CMK. The customer doesn’t know the CMK and doesn’t control access to the CMK. S3 ACLs are used to determine who can decrypt data upon access. SSE-S3 is appropriate for those needing to check the box of encryption of data at rest. I could see limited use cases for SSE-S3.
SSE-KMS – The KMS option allows the customer more control over the CMK. Customers create one of more CMKs via AWS IAM (Identity and Access Management) and control what users or AWS roles use the CMK. Rules are granular to the point. Administrators have the ability to determine which users can encrypt or decrypt data using the CMK. The CMK can also be used for communication beyond encryption. It’s a private key so any application that leverages key exchanges can use KMS. The disadvantage is that you are still tied to AWS.
SSE-C – This option is for customers who desire to control key management directly but leverage server-side encryption. The concept is that you want AWS to perform the encryption, but you want complete control over key management.
Client-side encryption has two options. The first is to leverage AWS KMS to generate manage keys for encryption on the client before upload to AWS. This is useful if you want to use an encryption algorithm other than AES-256 used by S3. I’m sure there are other use cases I haven’t considered.
The second option is customer side key management and encryption. AWS is completely out of the picture. It’s important to highlight that with SSE-C and client-side encryption with customer-managed keys, AWS can’t recover your key/data if you lose your keys. Customers are taking complete responsibility for key management. So, you get the complete liability and capability associated with key management.