Skip to content

AWS S3 Bucket Encryption

You can set up server-side encryption for AWS S3 bucket to encrypt the resources in the bucket. Supported encryption types are Amazon S3 (SSE-S3), AWS Key Management Service (SSE-KMS), and Customer-Provided Keys (SSE-C). Encryption key is mandatory for the encryption type SSE-C and optional for SSE-KMS. No encryption key is required for SSE-S3. For more information, see Protecting data using server-side encryption in the AWS documentation.

Configure Bucket Encryption in Dataserver

  1. SSH to EC2 instance where Privacera Dataserver is installed.

  2. Enable use of bucket encryption configuration in Privacera Dataserver.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.dataserver.aws.yml config/custom-vars/
    vi config/custom-vars/vars.dataserver.aws.yml
    

    Add the new property.

    DATA_SERVER_AWS_S3_ENCRYPTION_ENABLE: "true"
    DATA_SERVER_AWS_S3_ENCRYPTION_MAPPING:
      - "bucketA|<encryption-type>|<base64 encoded sse key>"
      - "bucketB*,BucketC|<encryption-type>|<base64 encoded sse key>"
    
    Property Description
    DATA_SERVER_AWS_S3_ENCRYPTION_ENABLE Property to enable or disable the AWS S3 bucket encryption support.
    DATA_SERVER_AWS_S3_ENCRYPTION_MAPPING Property to set the mapping of S3 buckets, encryption SSE type, and SSE key (base64 encoded ). For example, "bucketC*,BucketD|SSE-KMS|<base64 encoded sse key>".
    The base64-encoded encryption key should be set for the following: 1) Encryption type is set to SSE-KMS and customer managed CMKs is used for encryption. 2) Encryption type is set to SSE-C.

Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)

Supported S3 APIs for SSE-S3 Encryption:

  • PUT Object
  • PUT Object - Copy
  • POST Object
  • Initiate Multipart Upload

Bucket Policy

{
    "Version": "2012-10-17",
    "Id": "PutObjectPolicy",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-s3-encrypted-bucket}}/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
        {
            "Sid": "DenyUnencryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-s3-encrypted-bucket}}/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}
  1. Upload a test file.

    aws s3 cp myfile.txt s3://{{sse-s3-encrypted-bucket}}/
    

Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS)

Supported APIs for SSE-KMS Encryption:

  • PUT Object
  • PUT Object - Copy
  • POST Object
  • Initiate Multipart Upload

Your IAM role should have kms:Decrypt permission when you upload or download an Amazon S3 object encrypted with an AWS KMS CMK. This is in addition to the kms:ReEncrypt, kms:GenerateDataKey, and kms:DescribeKey permissions.

AWS Managed CMKs (SSE-KMS)

Bucket Policy

{
    "Version": "2012-10-17",
    "Id": "PutObjectPolicy",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        },
        {
            "Sid": "DenyUnencryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}
  1. Upload a test file.

    aws s3 cp myfile.txt s3://{{sse-s3-encrypted-bucket}}/
    

Customer Managed CMKs (SSE-KMS)

Bucket Policy

{
    "Version": "2012-10-17",
    "Id": "PutObjectPolicy",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        },
        {
            "Sid": "RequireKMSEncryption",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
            "Condition": {
                "StringNotLikeIfExists": {
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "{{aws-kms-key}}"
                }
            }
        },
        {
            "Sid": "DenyUnencryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}
  1. Upload a test file.

    aws s3 cp privacera_aws.sh s3://{{sse-kms-encrypted-bucket}}/
    

Server-Side Encryption with Customer-Provided Keys (SSE-C)

Supported APIs for SSE-C Encryption:

  • PUT Object
  • PUT Object - Copy
  • POST Object
  • Initiate Multipart Upload
  • Upload Part
  • Upload Part - Copy
  • Complete Multipart Upload
  • Get Object
  • Head Object

  • Update the privacera_aws_config.json file with bucket and SSE-C encryption key.

    • Run AWS S3 upload.

      aws s3 cp myfile.txt s3://{{sse-c-encrypted-bucket}}/
      
    • Run head-object.

      aws s3api head-object --bucket {{sse-c-encrypted-bucket}} --key myfile.txt
      

Sample Keys:

Key Value
AES256-bit key E1AC89EFB167B29ECC15FF75CC5C2C3A
Base64-encoded encryption key (sseKey) echo -n "E1AC89EFB167B29ECC15FF75CC5C2C3A" | openssl enc -base64
Base64-encoded 128-bit MD5 digest of the encryption key echo -n "E1AC89EFB167B29ECC15FF75CC5C2C3A" | openssl dgst -md5 -binary | openssl enc -base64