AWS S3 Bucket Encryption
You can set up server-side encryption for AWS S3 bucket to encrypt the resources in the bucket. Supported encryption types are Amazon S3 (SSE-S3), AWS Key Management Service (SSE-KMS), and Customer-Provided Keys (SSE-C). Encryption key is mandatory for the encryption type SSE-C and optional for SSE-KMS. No encryption key is required for SSE-S3. For more information, see Protecting data using server-side encryption in the AWS documentation.
Configure Bucket Encryption in Dataserver
-
SSH to EC2 instance where Privacera Dataserver is installed.
-
Enable use of bucket encryption configuration in Privacera Dataserver.
cd ~/privacera/privacera-manager cp config/sample-vars/vars.dataserver.aws.yml config/custom-vars/ vi config/custom-vars/vars.dataserver.aws.yml
Add the new property.
DATA_SERVER_AWS_S3_ENCRYPTION_ENABLE: "true" DATA_SERVER_AWS_S3_ENCRYPTION_MAPPING: - "bucketA|<encryption-type>|<base64 encoded sse key>" - "bucketB*,BucketC|<encryption-type>|<base64 encoded sse key>"
Property Description DATA_SERVER_AWS_S3_ENCRYPTION_ENABLE Property to enable or disable the AWS S3 bucket encryption support. DATA_SERVER_AWS_S3_ENCRYPTION_MAPPING Property to set the mapping of S3 buckets, encryption SSE type, and SSE key (base64 encoded ). For example, "bucketC*,BucketD|SSE-KMS|<base64 encoded sse key>"
.
The base64-encoded encryption key should be set for the following: 1) Encryption type is set toSSE-KMS
and customer managed CMKs is used for encryption. 2) Encryption type is set toSSE-C
.
Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
Supported S3 APIs for SSE-S3 Encryption:
- PUT Object
- PUT Object - Copy
- POST Object
- Initiate Multipart Upload
Bucket Policy
{
"Version": "2012-10-17",
"Id": "PutObjectPolicy",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{{sse-s3-encrypted-bucket}}/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "DenyUnencryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{{sse-s3-encrypted-bucket}}/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
-
Upload a test file.
aws s3 cp myfile.txt s3://{{sse-s3-encrypted-bucket}}/
Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS)
Supported APIs for SSE-KMS Encryption:
- PUT Object
- PUT Object - Copy
- POST Object
- Initiate Multipart Upload
Your IAM role should have kms:Decrypt permission when you upload or download an Amazon S3 object encrypted with an AWS KMS CMK. This is in addition to the kms:ReEncrypt, kms:GenerateDataKey, and kms:DescribeKey permissions.
AWS Managed CMKs (SSE-KMS)
Bucket Policy
{
"Version": "2012-10-17",
"Id": "PutObjectPolicy",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "DenyUnencryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
-
Upload a test file.
aws s3 cp myfile.txt s3://{{sse-s3-encrypted-bucket}}/
Customer Managed CMKs (SSE-KMS)
Bucket Policy
{
"Version": "2012-10-17",
"Id": "PutObjectPolicy",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "RequireKMSEncryption",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
"Condition": {
"StringNotLikeIfExists": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "{{aws-kms-key}}"
}
}
},
{
"Sid": "DenyUnencryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
-
Upload a test file.
aws s3 cp privacera_aws.sh s3://{{sse-kms-encrypted-bucket}}/
Server-Side Encryption with Customer-Provided Keys (SSE-C)
Supported APIs for SSE-C Encryption:
- PUT Object
- PUT Object - Copy
- POST Object
- Initiate Multipart Upload
- Upload Part
- Upload Part - Copy
- Complete Multipart Upload
- Get Object
-
Head Object
-
Update the privacera_aws_config.json file with bucket and SSE-C encryption key.
-
Run AWS S3 upload.
aws s3 cp myfile.txt s3://{{sse-c-encrypted-bucket}}/
-
Run head-object.
aws s3api head-object --bucket {{sse-c-encrypted-bucket}} --key myfile.txt
-
Sample Keys:
Key | Value |
---|---|
AES256-bit key | E1AC89EFB167B29ECC15FF75CC5C2C3A |
Base64-encoded encryption key (sseKey) | echo -n "E1AC89EFB167B29ECC15FF75CC5C2C3A" | openssl enc -base64 |
Base64-encoded 128-bit MD5 digest of the encryption key | echo -n "E1AC89EFB167B29ECC15FF75CC5C2C3A" | openssl dgst -md5 -binary | openssl enc -base64 |