- Platform Release 6.5
- Privacera Platform Installation
- Privacera Platform User Guide
- Privacera Discovery User Guide
- Privacera Encryption Guide
- Privacera Access Management User Guide
- AWS User Guide
- Overview of Privacera on AWS
- Configure policies for AWS services
- Using Athena with data access server
- Using DynamoDB with data access server
- Databricks access manager policy
- Accessing Kinesis with data access server
- Accessing Firehose with Data Access Server
- EMR user guide
- AWS S3 bucket encryption
- Getting started with Minio
- Plugins
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- Privacera Platform documentation changelog
AWS S3 bucket encryption
You can set up server-side encryption for AWS S3 bucket to encrypt the resources in the bucket. Supported encryption types are Amazon S3 (SSE-S3), AWS Key Management Service (SSE-KMS), and Customer-Provided Keys (SSE-C). Encryption key is mandatory for the encryption type SSE-C and optional for SSE-KMS. No encryption key is required for SSE-S3. For more information, see Protecting data using server-side encryption in the AWS documentation.
Configure bucket encryption in dataserver
SSH to EC2 instance where Privacera Dataserver is installed.
Enable use of bucket encryption configuration in Privacera Dataserver.
cd ~/privacera/privacera-manager cp config/sample-vars/vars.dataserver.aws.yml config/custom-vars/ vi config/custom-vars/vars.dataserver.aws.yml
Add the new property.
DATA_SERVER_AWS_S3_ENCRYPTION_ENABLE:"true"DATA_SERVER_AWS_S3_ENCRYPTION_MAPPING:-"bucketA|<encryption-type>|<base64encodedssekey>"-"bucketB*,BucketC|<encryption-type>|<base64encodedssekey>"
Property
Description
DATA_SERVER_AWS_S3_ENCRYPTION_ENABLE
Property to enable or disable the AWS S3 bucket encryption support.
DATA_SERVER_AWS_S3_ENCRYPTION_MAPPING
Property to set the mapping of S3 buckets, encryption SSE type, and SSE key (base64 encoded ). For example,
"bucketC*,BucketD|SSE-KMS|<base64 encoded sse key>".The base64-encoded encryption key should be set for the following: 1) Encryption type is set to
SSE-KMSand customer managed CMKs is used for encryption. 2) Encryption type is set toSSE-C.
Server-side encryption with Amazon S3-Managed Keys (SSE-S3)
Supported S3 APIs for SSE-S3 Encryption:
PUT Object
PUT Object - Copy
POST Object
Initiate Multipart Upload
Bucket Policy
{"Version":"2012-10-17","Id":"PutObjectPolicy","Statement":[{"Sid":"DenyIncorrectEncryptionHeader","Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::{{sse-s3-encrypted-bucket}}/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"AES256"}}},{"Sid":"DenyUnencryptedObjectUploads","Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::{{sse-s3-encrypted-bucket}}/*","Condition":{"Null":{"s3:x-amz-server-side-encryption":"true"}}}]}
Upload a test file.
aws s3 cp myfile.txt s3://{{sse-s3-encrypted-bucket}}/
Server-Side encryption with CMKs stored in AWS Key Management Service (SSE-KMS)
Supported APIs for SSE-KMS Encryption:
PUT Object
PUT Object - Copy
POST Object
Initiate Multipart Upload
Your IAM role should have kms:Decrypt permission when you upload or download an Amazon S3 object encrypted with an AWS KMS CMK. This is in addition to the kms:ReEncrypt, kms:GenerateDataKey, and kms:DescribeKey permissions.
AWS Managed CMKs (SSE-KMS)
Bucket Policy
{"Version":"2012-10-17","Id":"PutObjectPolicy","Statement":[{"Sid":"DenyIncorrectEncryptionHeader","Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"aws:kms"}}},{"Sid":"DenyUnencryptedObjectUploads","Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*","Condition":{"Null":{"s3:x-amz-server-side-encryption":"true"}}}]}
Upload a test file.
aws s3 cp myfile.txt s3://{{sse-s3-encrypted-bucket}}/
Customer managed CMKs (SSE-KMS)
Bucket Policy
{"Version":"2012-10-17","Id":"PutObjectPolicy","Statement":[{"Sid":"DenyIncorrectEncryptionHeader","Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*","Condition":{"StringNotEquals":{"s3:x-amz-server-side-encryption":"aws:kms"}}},{"Sid":"RequireKMSEncryption","Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*","Condition":{"StringNotLikeIfExists":{"s3:x-amz-server-side-encryption-aws-kms-key-id":"{{aws-kms-key}}"}}},{"Sid":"DenyUnencryptedObjectUploads","Effect":"Deny","Principal":"*","Action":"s3:PutObject","Resource":"arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*","Condition":{"Null":{"s3:x-amz-server-side-encryption":"true"}}}]}
Upload a test file.
aws s3 cp privacera_aws.sh s3://{{sse-kms-encrypted-bucket}}/
Server-side encryption with Customer-Provided Keys (SSE-C)
Supported APIs for SSE-C Encryption:
PUT Object
PUT Object - Copy
POST Object
Initiate Multipart Upload
Upload Part
Upload Part - Copy
Complete Multipart Upload
Get Object
Head Object
Update the privacera_aws_config.json file with bucket and SSE-C encryption key.
Run AWS S3 upload.
aws s3 cp myfile.txt s3://{{sse-c-encrypted-bucket}}/Run head-object.
aws s3api head-object --bucket {{sse-c-encrypted-bucket}} --key myfile.txt
Sample keys:
Key | Value |
|---|---|
AES256-bit key | E1AC89EFB167B29ECC15FF75CC5C2C3A |
Base64-encoded encryption key (sseKey) | echo -n "E1AC89EFB167B29ECC15FF75CC5C2C3A" | openssl enc -base64 |
Base64-encoded 128-bit MD5 digest of the encryption key | echo -n "E1AC89EFB167B29ECC15FF75CC5C2C3A" | openssl dgst -md5 -binary | openssl enc -base64 |