Good news from AWS S3 🎉

Hey! This is Pranjal from Engineering Diary.

Here's what I got for you today:

AWS started encrypting all new S3 objects by default

AWS - Amazon Web ServicesS3 - Simple Storage ServiceS3 Object -  A file of any kindS3 Bucket - Collection of S3 objectsSSE - Server-Side Encryption

Previously while creating a new S3 Bucket, one had to choose in settings whether to encrypt data at rest. Now AWS by default started encrypting new objects created in S3.When an object is created in S3, they generate a unique key, encrypt the data with the key and then encrypt the key with a root key. So even someone having access to S3 database at AWS cannot see contents without the root key.

SSE-S3 uses Advanced Encryption Standard (AES) encryption with 256-bit keys managed by AWS.

One BIG WIN is companies using S3 service automatically now meets the compliance requirements without any additional tools.

There are three types of encryption:

1. SSE-S3 new default encryption

2. SSE-C (Customer provides encryption keys) - With every request for putting/retrieving an S3 object, customer provides an encryption key. Rest all is taken care by the AWS. Once object is encrypted/decrypted, AWS removes the encryption key from its memory. 

3. SSE-KMS (AWS Key Management System) - One can create and manage keys in AWS with different access permissions.

To have an additional layer of encryption, one can encrypt the file at the client side as well.

Question 1 - Which encryption type would you choose for your S3 Object and why? 

Question 2 - Which combination of the above methods are most secure and why?

Please reply with an answer :)

That's a wrap for today. Stay thirsty & see ya soon!

If you have any suggestions or questions, I would love to hear from you.

Please share with your friends and colleagues.