Privacera Platform master publication

AWS S3 bucket encryption

:

You can set up server-side encryption for AWS S3 bucket to encrypt the resources in the bucket. Supported encryption types are Amazon S3 (SSE-S3), AWS Key Management Service (SSE-KMS), and Customer-Provided Keys (SSE-C). Encryption key is mandatory for the encryption type SSE-C and optional for SSE-KMS. No encryption key is required for SSE-S3. For more information, see Protecting data using server-side encryption in the AWS documentation.

Configure bucket encryption in dataserver

  1. SSH to EC2 instance where Privacera Dataserver is installed.

  2. Enable use of bucket encryption configuration in Privacera Dataserver.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.dataserver.aws.yml config/custom-vars/
    vi config/custom-vars/vars.dataserver.aws.yml
    

    Add the new property.

    DATA_SERVER_AWS_S3_ENCRYPTION_ENABLE:"true"DATA_SERVER_AWS_S3_ENCRYPTION_MAPPING:-"bucketA|<encryption-type>|<base64encodedssekey>"-"bucketB*,BucketC|<encryption-type>|<base64encodedssekey>"
    

    Property

    Description

    DATA_SERVER_AWS_S3_ENCRYPTION_ENABLE

    Property to enable or disable the AWS S3 bucket encryption support.

    DATA_SERVER_AWS_S3_ENCRYPTION_MAPPING

    Property to set the mapping of S3 buckets, encryption SSE type, and SSE key (base64 encoded ). For example, "bucketC*,BucketD|SSE-KMS|<base64 encoded sse key>".

    The base64-encoded encryption key should be set for the following: 1) Encryption type is set to SSE-KMS and customer managed CMKs is used for encryption. 2) Encryption type is set to SSE-C.

Server-side encryption with Amazon S3-Managed Keys (SSE-S3)

Supported S3 APIs for SSE-S3 Encryption:

  • PUT Object

  • PUT Object - Copy

  • POST Object

  • Initiate Multipart Upload

Bucket Policy
{"Version":"2012-10-17","Id":"PutObjectPolicy","Statement":[{"Sid":"DenyIncorrectEncryptionHeader","Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::{{sse-s3-encrypted-bucket}}/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"AES256"}}},{"Sid":"DenyUnencryptedObjectUploads","Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::{{sse-s3-encrypted-bucket}}/*","Condition":{"Null":{"s3:x-amz-server-side-encryption":"true"}}}]}
  • Upload a test file.

    aws s3 cp myfile.txt s3://{{sse-s3-encrypted-bucket}}/
    

Server-Side encryption with CMKs stored in AWS Key Management Service (SSE-KMS)

Supported APIs for SSE-KMS Encryption:

  • PUT Object

  • PUT Object - Copy

  • POST Object

  • Initiate Multipart Upload

Your IAM role should have kms:Decrypt permission when you upload or download an Amazon S3 object encrypted with an AWS KMS CMK. This is in addition to the kms:ReEncrypt, kms:GenerateDataKey, and kms:DescribeKey permissions.

AWS Managed CMKs (SSE-KMS)

Bucket Policy

{"Version":"2012-10-17","Id":"PutObjectPolicy","Statement":[{"Sid":"DenyIncorrectEncryptionHeader","Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"aws:kms"}}},{"Sid":"DenyUnencryptedObjectUploads","Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*","Condition":{"Null":{"s3:x-amz-server-side-encryption":"true"}}}]}
  • Upload a test file.

    aws s3 cp myfile.txt s3://{{sse-s3-encrypted-bucket}}/
    
Customer managed CMKs (SSE-KMS)

Bucket Policy

{"Version":"2012-10-17","Id":"PutObjectPolicy","Statement":[{"Sid":"DenyIncorrectEncryptionHeader","Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"aws:kms"}}},{"Sid":"RequireKMSEncryption","Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*","Condition":{"StringNotLikeIfExists":{"s3:x-amz-server-side-encryption-aws-kms-key-id":"{{aws-kms-key}}"}}},{"Sid":"DenyUnencryptedObjectUploads","Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*","Condition":{"Null":{"s3:x-amz-server-side-encryption":"true"}}}]}
  • Upload a test file.

    aws s3 cp privacera_aws.sh s3://{{sse-kms-encrypted-bucket}}/
    

Server-side encryption with Customer-Provided Keys (SSE-C)

Supported APIs for SSE-C Encryption:

  • PUT Object

  • PUT Object - Copy

  • POST Object

  • Initiate Multipart Upload

  • Upload Part

  • Upload Part - Copy

  • Complete Multipart Upload

  • Get Object

  • Head Object

  • Update the privacera_aws_config.json file with bucket and SSE-C encryption key.

    • Run AWS S3 upload.

      aws s3 cp myfile.txt s3://{{sse-c-encrypted-bucket}}/
      
    • Run head-object.

      aws s3api head-object --bucket {{sse-c-encrypted-bucket}} --key myfile.txt
      

Sample keys:

Key

Value

AES256-bit key

E1AC89EFB167B29ECC15FF75CC5C2C3A

Base64-encoded encryption key (sseKey)

echo -n "E1AC89EFB167B29ECC15FF75CC5C2C3A" | openssl enc -base64

Base64-encoded 128-bit MD5 digest of the encryption key

echo -n "E1AC89EFB167B29ECC15FF75CC5C2C3A" | openssl dgst -md5 -binary | openssl enc -base64