Skip to content

S3 Encryption

Set up server-side encryption.

Configure Bucket Encryption in Dataserver#

  1. Go to the Dataserver configuration directory.

    ~/privacera/docker/dataserver/conf

  2. Make a copy of privacera_aws_config.json.template as privacera_aws_config.json (If the template file does not exist then create privacera_aws_config.json).

  3. Update bucket name and the server side encryption types are: SSE-S3, SSE-KMS, and SSE-C.

  4. If the encryption type is set to ‘SSE-KMS’ and for encryption customer managed CMKs is used, then set the encryption key to ‘sseKey’. The encryption key should be base64 encoded.

  5. If the encryption type is set to ‘SSE-C’ then ‘sseKey’ should be set. This should be a base64 encoded encryption key.

  6. Restart Dataserver service.

Example Configuration file#

{
"aws":{
     "s3":{
    "bucketConfig":[
    {
        "name":"bucket0",
        "sseType":"SSE-S3"
        },
        {
        "name":"bucket1",
        "sseType":"SSE-KMS"
        },
        {
        "name":"bucket2",
        "sseType":"SSE-KMS",
        "sseKey":"{{base64-encoded customer managed CMK}}"
        },
        {
        "name":"bucket3",
        "sseType":"SSE-C",
        "sseKey":"{{AES256-bit, base64-encoded customer-provided encryption key}}"
        },
        {
        "name":"bucket4,bucket5",
        "sseType":"SSE-C",
        "sseKey":"{{AES256-bit, base64-encoded customer-provided encryption key}}"
        },
        {
        "name":"bucket6*",
        "sseType":"SSE-C",
        "sseKey":"{{AES256-bit, base64-encoded customer-provided encryption key}}"
        }
    ]
    }
}
}

Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)#

Supported S3 APIs for SSE-S3 Encryption:

  • PUT Object
  • PUT Object - Copy
  • POST Object
  • Initiate Multipart Upload

Bucket Policy#

{
    "Version": "2012-10-17",
    "Id": "PutObjectPolicy",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-s3-encrypted-bucket}}/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
        {
            "Sid": "DenyUnencryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-s3-encrypted-bucket}}/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}
  1. Upload a test file.

    aws s3 cp myfile.txt s3://{{sse-s3-encrypted-bucket}}/

Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS)#

Supported APIs for SSE-KMS Encryption:

  • PUT Object
  • PUT Object - Copy
  • POST Object
  • Initiate Multipart Upload

Your IAM role should have kms:Decrypt permission when you upload or download an Amazon S3 object encrypted with an AWS KMS CMK. This is in addition to the kms:ReEncrypt, kms:GenerateDataKey, and kms:DescribeKey permissions.

AWS Managed CMKs (SSE-KMS)#

Bucket Policy

{
    "Version": "2012-10-17",
    "Id": "PutObjectPolicy",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        },
        {
            "Sid": "DenyUnencryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}
  1. Upload a test file.

    aws s3 cp myfile.txt s3://{{sse-s3-encrypted-bucket}}/

Customer Managed CMKs (SSE-KMS)#

Bucket Policy

{
    "Version": "2012-10-17",
    "Id": "PutObjectPolicy",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        },
        {
            "Sid": "RequireKMSEncryption",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
            "Condition": {
                "StringNotLikeIfExists": {
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "{{aws-kms-key}}"
                }
            }
        },
        {
            "Sid": "DenyUnencryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}
  1. Upload a test file.

    aws s3 cp privacera_aws.sh s3://{{sse-kms-encrypted-bucket}}/

Server-Side Encryption with Customer-Provided Keys (SSE-C)#

Supporeted APIs for SSE-C Encryption:

  • PUT Object
  • PUT Object - Copy
  • POST Object
  • Initiate Multipart Upload
  • Upload Part
  • Upload Part - Copy
  • Complete Multipart Upload
  • Get Object
  • Head Object

  • Update the privacera_aws_config.json file with bucket and SSE-C encryption key.

    • Run AWS S3 upload.

      aws s3 cp myfile.txt s3://{{sse-c-encrypted-bucket}}/

  • Run head-object.

     aws s3api head-object --bucket {{sse-c-encrypted-bucket}} --key myfile.txt
    

Sample Keys:

Key Value
AES256-bit key E1AC89EFB167B29ECC15FF75CC5C2C3A
Base64-encoded encryption key (sseKey) echo -n "E1AC89EFB167B29ECC15FF75CC5C2C3A" | openssl enc -base64
Base64-encoded 128-bit MD5 digest of the encryption key echo -n "E1AC89EFB167B29ECC15FF75CC5C2C3A" | openssl dgst -md5 -binary | openssl enc -base64

Last update: July 23, 2021