Configure S3 Encryption

Perform the following steps to configure S3 encryption.

Self Managed and Data PlanePrivaceraCloud

To support S3 encrypted using AWS KMS, include the following property in the vars.dataserver.aws.yml file:

YAML
DATASERVER_AWS_PROFILE_PROPERTIES:
- PROFILE_NAME: "aws_account1"
  PROFILE_PROPERTIES:
    - S3_ENCRYPTION_ENABLE: "true"
    - S3_ENCRYPTION_BUCKET_DATA:
        - "S3_ENCRYPTION_BUCKET_NAME|S3_ENCRYPTION_SSETYPE|S3_ENCRYPTION_SSEKEY"

There are three parts to the S3_ENCRYPTION_BUCKET_DATA property:
1. S3_ENCRYPTION_BUCKET_NAME: Comma-separated list of S3 bucket names.
2. S3_ENCRYPTION_SSETYPE: The type of server-side encryption to use for the S3 bucket. The supported values are SSE-C, SSE-KMS, and SSE-S3.
3. S3_ENCRYPTION_SSEKEY: The server-side encryption key to use for the S3 bucket. This is optional based on the SSE_TYPE value:
  - For SSE_TYPE SSE-C SSE_KEY is mandatory, for SSE_TYPE SSE-KMS SSE_KEY is optional and for SSE_TYPE SSE-S3 there is no SSE_KEY.

To enable Encryption for Multiple S3 Buckets:

Use the S3_ENCRYPTION_BUCKET_DATA property to specify encryption details for multiple S3 buckets. The list format is as follows:

YAML
S3_ENCRYPTION_BUCKET_DATA:
  - "S3_ENCRYPTION_BUCKET_NAME|S3_ENCRYPTION_SSETYPE|S3_ENCRYPTION_SSEKEY"
  - "S3_ENCRYPTION_BUCKET_NAME|S3_ENCRYPTION_SSETYPE|S3_ENCRYPTION_SSEKEY"

Examples :

YAML
S3_ENCRYPTION_BUCKET_DATA:
  - "bucket1|SSE-KMS|"
  - "bucket2|SSE-KMS|arn:aws:kms:<region>:<account-id>:key/<key-id>"
  - "bucketA,bucketB*|SSE-KMS|"

Once the properties are configured, refer to the Privacera Manager Quickstart.

In PrivaceraCloud, navigate to Settings -> Applications.
On the Connected Applications screen, select S3.
Click the edit icon next to the Account Name, then go to Access Management -> ADVANCED tab.

Add the following property with the appropriate value for <your_profile_name>, <your_s3_bucket_name>, <sse_type>, and <sse_key>:

Properties
dataserver.aws.<your_profile_name>.s3.encryption.enable=true
dataserver.aws.<your_profile_name>.s3.encryption.bucketname=<your_s3_bucket_name>
dataserver.aws.<your_profile_name>.s3.encryption.ssetype=<sse_type>
dataserver.aws.<your_profile_name>.s3.encryption.ssekey=<sse_key>

S3_ENCRYPTION_BUCKET_NAME: Comma-separated list of S3 bucket names.
S3_ENCRYPTION_SSETYPE: The type of server-side encryption to use for the S3 bucket. The supported values are SSE-C, SSE-KMS, and SSE-S3.
S3_ENCRYPTION_SSEKEY: The server-side encryption key to use for the S3 bucket. This is optional based on the SSE_TYPE value:
- For SSE_TYPE SSE-C SSE_KEY is mandatory, for SSE_TYPE SSE-KMS SSE_KEY is optional and for SSE_TYPE SSE-S3 there is no SSE_KEY.

Click the Test Connection button to verify the connection.
Once the connection is successful, click Save.

To Support S3 Encryption Using AWS KMS¶

Follow the steps below to enable AWS KMS encryption in S3 bucket.

Update IAM Policy – Granting KMS Access for S3 Encryption

Update the IAM policy configured in the DataServer profile to include the necessary AWS KMS permissions (Decrypt, GenerateDataKey*) so that Amazon S3 can use the CMK for server-side encryption (aws:kms) when uploading and downloading objects.

JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowRoleKMSAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account-id>:role/<role-name>"
      },
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey*"
      ],
      "Resource": "arn:aws:kms:<region>:<account-id>:key/<key-id>"
    }
  ]
}

Bucket Policy – Enforcing SSE-KMS

To ensure that all objects uploaded to the bucket are encrypted with SSE-KMS, update the bucket policy under the bucket’s Permissions → Bucket policy: This policy denies s3:PutObject requests that are missing the x-amz-server-side-encryption header or where the value is not aws:kms, ensuring every write is KMS-encrypted.

JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryptionHeader",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<bucket-name>/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "DenyUnencryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<bucket-name>/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        }
      }
    }
  ]
}

Prev topic: Advanced Configuration