S3 Encryption
Set up server-side encryption.
Configure Bucket Encryption in Dataserver#
-
Go to the Dataserver configuration directory.
~/privacera/docker/dataserver/conf -
Make a copy of privacera_aws_config.json.template as privacera_aws_config.json (If the template file does not exist then create privacera_aws_config.json).
-
Update bucket name and the server side encryption types are: SSE-S3, SSE-KMS, and SSE-C.
-
If the encryption type is set to ‘SSE-KMS’ and for encryption customer managed CMKs is used, then set the encryption key to ‘sseKey’. The encryption key should be base64 encoded.
-
If the encryption type is set to ‘SSE-C’ then ‘sseKey’ should be set. This should be a base64 encoded encryption key.
-
Restart Data Server service.
Example Configuration file#
{
"aws":{
"s3":{
"bucketConfig":[
{
"name":"bucket0",
"sseType":"SSE-S3"
},
{
"name":"bucket1",
"sseType":"SSE-KMS"
},
{
"name":"bucket2",
"sseType":"SSE-KMS",
"sseKey":"{{base64-encoded customer managed CMK}}"
},
{
"name":"bucket3",
"sseType":"SSE-C",
"sseKey":"{{AES256-bit, base64-encoded customer-provided encryption key}}"
},
{
"name":"bucket4,bucket5",
"sseType":"SSE-C",
"sseKey":"{{AES256-bit, base64-encoded customer-provided encryption key}}"
},
{
"name":"bucket6*",
"sseType":"SSE-C",
"sseKey":"{{AES256-bit, base64-encoded customer-provided encryption key}}"
}
]
}
}
}
Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)#
Supported S3 APIs for SSE-S3 Encryption:
- PUT Object
- PUT Object - Copy
- POST Object
- Initiate Multipart Upload
Bucket Policy#
{
"Version": "2012-10-17",
"Id": "PutObjectPolicy",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{{sse-s3-encrypted-bucket}}/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "DenyUnencryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{{sse-s3-encrypted-bucket}}/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
-
Upload a test file.
aws s3 cp myfile.txt s3://{{sse-s3-encrypted-bucket}}/
Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS)#
Supported APIs for SSE-KMS Encryption:
- PUT Object
- PUT Object - Copy
- POST Object
- Initiate Multipart Upload
Your IAM role should have kms:Decrypt permission when you upload or download an Amazon S3 object encrypted with an AWS KMS CMK. This is in addition to the kms:ReEncrypt, kms:GenerateDataKey, and kms:DescribeKey permissions.
AWS Managed CMKs (SSE-KMS)#
Bucket Policy
{
"Version": "2012-10-17",
"Id": "PutObjectPolicy",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "DenyUnencryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
-
Upload a test file.
aws s3 cp myfile.txt s3://{{sse-s3-encrypted-bucket}}/
Customer Managed CMKs (SSE-KMS)#
Bucket Policy
{
"Version": "2012-10-17",
"Id": "PutObjectPolicy",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "RequireKMSEncryption",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
"Condition": {
"StringNotLikeIfExists": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "{{aws-kms-key}}"
}
}
},
{
"Sid": "DenyUnencryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
-
Upload a test file.
aws s3 cp privacera_aws.sh s3://{{sse-kms-encrypted-bucket}}/
Server-Side Encryption with Customer-Provided Keys (SSE-C)#
Supported APIs for SSE-C Encryption:
- PUT Object
- PUT Object - Copy
- POST Object
- Initiate Multipart Upload
- Upload Part
- Upload Part - Copy
- Complete Multipart Upload
- Get Object
-
Head Object
-
Update the privacera_aws_config.json file with bucket and SSE-C encryption key.
-
Run AWS S3 upload.
aws s3 cp myfile.txt s3://{{sse-c-encrypted-bucket}}/ -
Run head-object.
aws s3api head-object --bucket {{sse-c-encrypted-bucket}} --key myfile.txt
-
Sample Keys:
| Key | Value |
|---|---|
| AES256-bit key | E1AC89EFB167B29ECC15FF75CC5C2C3A |
| Base64-encoded encryption key (sseKey) | echo -n "E1AC89EFB167B29ECC15FF75CC5C2C3A" | openssl enc -base64 |
| Base64-encoded 128-bit MD5 digest of the encryption key | echo -n "E1AC89EFB167B29ECC15FF75CC5C2C3A" | openssl dgst -md5 -binary | openssl enc -base64 |