Configure S3 Encryption

Perform the following steps to configure S3 encryption.

  1. To enable Encryption for AWS S3 bucket, include the following property in the vars.dataserver.aws.yml file:
    YAML
    1
2
3
4
5
    DATASERVER_AWS_PROFILE_PROPERTIES:
- PROFILE_NAME: "aws_account1"
  PROFILE_PROPERTIES:
    - S3_ENCRYPTION_ENABLE: "true"
    - S3_ENCRYPTION_BUCKET_DATA: "S3_ENCRYPTION_BUCKET_NAME|S3_ENCRYPTION_SSETYPE|S3_ENCRYPTION_SSEKEY"
  2. There are three parts to the S3_ENCRYPTION_BUCKET_DATA property:
    1. S3_ENCRYPTION_BUCKET_NAME: Comma-separated list of S3 bucket names.
    2. S3_ENCRYPTION_SSETYPE: The type of server-side encryption to use for the S3 bucket. The supported values are SSE-C, SSE-KMS, and SSE-S3.
    3. S3_ENCRYPTION_SSEKEY: The server-side encryption key to use for the S3 bucket. This is optional based on the SSE_TYPE value:
      • For SSE_TYPE SSE-C SSE_KEY is mandatory, for SSE_TYPE SSE-KMS SSE_KEY is optional and for SSE_TYPE SSE-S3 there is no SSE_KEY.
  3. To enable Encryption for Multiple S3 Buckets:
    • Use the S3_ENCRYPTION_BUCKET_DATA property to specify encryption details for multiple S3 buckets. The format is as follows:
      YAML
      1
      S3_ENCRYPTION_BUCKET_DATA: "S3_ENCRYPTION_BUCKET_NAMES|S3_ENCRYPTION_SSETYPE|S3_ENCRYPTION_SSEKEY"
    • For example:
      YAML
      1
      S3_ENCRYPTION_BUCKET_DATA: "bucket1,bucket2|SSE-C|jkabcxiuahsc"
  4. Once the properties are configured, refer to the Privacera Manager Quickstart.
  1. In PrivaceraCloud, navigate to Settings -> Applications.
  2. On the Connected Applications screen, select S3.
  3. Click the edit icon next to the Account Name, then go to Access Management -> ADVANCED tab.
  4. Add the following property with the appropriate value for <your_profile_name>, <your_s3_bucket_name>, <sse_type>, and <sse_key>:
    Properties
    1
2
3
4
    dataserver.aws.<your_profile_name>.s3.encryption.enable=true
dataserver.aws.<your_profile_name>.s3.encryption.bucketname=<your_s3_bucket_name>
dataserver.aws.<your_profile_name>.s3.encryption.ssetype=<sse_type>
dataserver.aws.<your_profile_name>.s3.encryption.ssekey=<sse_key>
    1. S3_ENCRYPTION_BUCKET_NAME: Comma-separated list of S3 bucket names.
    2. S3_ENCRYPTION_SSETYPE: The type of server-side encryption to use for the S3 bucket. The supported values are SSE-C, SSE-KMS, and SSE-S3.
    3. S3_ENCRYPTION_SSEKEY: The server-side encryption key to use for the S3 bucket. This is optional based on the SSE_TYPE value:
      • For SSE_TYPE SSE-C SSE_KEY is mandatory, for SSE_TYPE SSE-KMS SSE_KEY is optional and for SSE_TYPE SSE-S3 there is no SSE_KEY.
  5. Click the Test Connection button to verify the connection.
  6. Once the connection is successful, click Save.

Comments