Server side encryption (SSE-KMS) having AWS KMS escrow key data protection
SSE-KMS key points are:
-
You can choose to create and manage encryption keys, you can also choose to use only the default service key areas of services by level generated for a customer.
-
MD5 ETag in response is not the object data.
-
Data used to encrypt your data will be encrypted and stored with the data they protect.
-
You can be created from AWS KMS console, rotation or disable the primary key auditable.
-
The security controls AWS KMS can help you meet compliance requirements related to encryption.
Encryption server (SSE-S3) having Amazon S3 protected encryption key data hosted
Server-side encryption to protect static data. Amazon S3 encrypted using a unique key for each object . As additional protection, it will use the master key of the regular rotation of the key itself is encrypted. Amazon S3 Server Side Encryption to encrypt your data using one of the strongest block ciphers available (256-bit Advanced Encryption Standard (AES-256)).
If you need to perform server-side all the objects stored in the bucket of encryption, use the bucket strategy. For example, the following policy bucket denied permission to upload object, unless the request for requesting the server contains an encrypted x-amz-server-side-encryption header
Protected data by using the encryption key of the encryption server's customers (SSE-C)
Using the encryption key provided by the customer of Server Side Encryption (SSE-C) allows you to set your own encryption key. Use your encryption key provided as part of the request, Amazon S3 manage encryption when writing to disk management and decrypted as you access the object. Therefore, you do not need to maintain any code to perform data encryption and decryption. All you need to manage encryption keys that you provide.
Amazon S3 does not store the encryption key that you provide , but store the encryption key to add a random data HMAC value to verify future requests. Add is a HMAC value of the random data value or be derived decrypt the encrypted content encryption key of the object. This means that if you lose your encryption key, the object is lost.
Important SSE-C are:
-
You must use HTTPS.
important
When using SSE-C, Amazon S3 will reject any request submitted via HTTP. For security reasons, we recommend that you consider you incorrectly use the HTTP send any key will be leaked. You should discard the key, and the key rotation if necessary.
-
MD5 ETag in response is not the object data.
-
Which of your encryption key management for encryption which map objects. Amazon S3 does not store the encryption key. You are responsible for tracking which provides encryption keys for which object.
-
If your bucket versioning is enabled, you use this feature to upload each version of the object may have its own encryption key. You are responsible for which encryption key used to track which version of the object.
-
Because you manage client encryption key, so they will have all the extra protective measures in client management, such as key rotation.
caveat
If you lose your encryption key, it is not an object for any encryption keys GET request will fail, and you will lose the object.
-