Amazon S3 Security & Encryption

AWS  offers data protection and encryption services for all data while in transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centres). You can protect data in transit by using SSL or by using client-side encryption. Here are our exam key points and tips for AWS S3 Encryption:

  • S3 PUT operations store your data across multiple facilities before confirming the success of the action and this ensures that S3 is able to provide you with 99.999999999% durability on your objects
  • S3 is designed to sustain loss of data in up to two facilities
  • You can enable versioning to preserve, retrieve and restore every version of your objects in an S3 bucket
  • By default all newly created buckets are private
  • You can set up access control on your buckets using:
    • Bucket Policies
    • Access Control Lists which can drill down to specific objects
  • S3 Buckets can be configured to create access logs which log all requests make to the bucket and ideally its recommend to store logs in a different bucket from the one being monitored

 

Encryption

Data is encrypted using either In Transit using SSL/TLS encryption as it travels to and from Amazon S3 or when Data is at Rest.  Two options for encrypting data are:

  • Server Side Encryption is where Amazon S3 encrypts your data at the object level as it writes it to disks in its data centres and decrypts it for you when you access it. Three options on encryption are:
    • Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) – using Multi-Factor authentication, each object is encrypted with a unique key. In addition, it encrypts the key itself using a master key that is regularly rotated and Amazon S3 uses 256-bit AES to encrypt your data
    • Server Side Encryption using AWS Key Management Service, Managed Keys – SSE-KMS. There are separate permissions for use of an envelope key, which is a key that protects the data’s encryption key. It provides you with an audit trail to show when your keys were used and who used the keys. You can create and manage encryption keys yourself, or use a default key that is unique to you, the service you’re using, and the region you’re working in.  There are some additional charges for using this service
    • Server Side Encryption with Customer-Provided Keys – SSE-C – This is where the key is managed by the customer
  • Client Side Encryption is where you encrypted the data and then upload it to S3.  Two options available are:
    • Use an AWS KMS-managed customer master key
    • Use a client-side master key

 

180 Practice Exam Questions – Get Prepared for your Exam Day!

Our Exam Simulator with 180 practice exam questions comes with comprehensive explanations that will help you prepare for one of the most sought-after IT Certifications of the year.  Register Today and start preparing for your AWS Certification.