Skip to content

AWS S3 Bucket Encryption

You can set up server-side encryption for AWS S3 bucket to encrypt the resources in the bucket. Supported encryption types are Amazon S3 (SSE-S3), AWS Key Management Service (SSE-KMS), and Customer-Provided Keys (SSE-C). Encryption key is mandatory for the encryption type SSE-C and optional for SSE-KMS. No encryption key is required for SSE-S3. For more information, see Protecting data using server-side encryption in the AWS documentation.

Configure Bucket Encryption in Dataserver#

  1. SSH to EC2 instance where Privacera Dataserver is installed.

  2. Enable use of bucket encryption configuration in Privacera Dataserver.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.dataserver.aws.yml config/custom-vars/
    vi config/custom-vars/vars.dataserver.aws.yml
    

    Add the new property.

    DATA_SERVER_AWS_S3_ENCRYPTION_ENABLE: "true"
    DATA_SERVER_AWS_S3_ENCRYPTION_MAPPING:
      - "bucketA|<encryption-type>|<base64 encoded sse key>"
      - "bucketB*,BucketC|<encryption-type>|<base64 encoded sse key>"
    
    Property Description
    DATA_SERVER_AWS_S3_ENCRYPTION_ENABLE Property to enable or disable the AWS S3 bucket encryption support.
    DATA_SERVER_AWS_S3_ENCRYPTION_MAPPING Property to set the mapping of S3 buckets, encryption SSE type, and SSE key (base64 encoded ). For example, "bucketC*,BucketD|SSE-KMS|<base64 encoded sse key>".
    The base64-encoded encryption key should be set for the following: 1) Encryption type is set to SSE-KMS and customer managed CMKs is used for encryption. 2) Encryption type is set to SSE-C.

Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)#

Supported S3 APIs for SSE-S3 Encryption:

  • PUT Object
  • PUT Object - Copy
  • POST Object
  • Initiate Multipart Upload

Bucket Policy#

{
    "Version": "2012-10-17",
    "Id": "PutObjectPolicy",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-s3-encrypted-bucket}}/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
        {
            "Sid": "DenyUnencryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-s3-encrypted-bucket}}/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}
  1. Upload a test file.

    aws s3 cp myfile.txt s3://{{sse-s3-encrypted-bucket}}/
    

Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS)#

Supported APIs for SSE-KMS Encryption:

  • PUT Object
  • PUT Object - Copy
  • POST Object
  • Initiate Multipart Upload

Your IAM role should have kms:Decrypt permission when you upload or download an Amazon S3 object encrypted with an AWS KMS CMK. This is in addition to the kms:ReEncrypt, kms:GenerateDataKey, and kms:DescribeKey permissions.

AWS Managed CMKs (SSE-KMS)#

Bucket Policy

{
    "Version": "2012-10-17",
    "Id": "PutObjectPolicy",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        },
        {
            "Sid": "DenyUnencryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}
  1. Upload a test file.

    aws s3 cp myfile.txt s3://{{sse-s3-encrypted-bucket}}/
    

Customer Managed CMKs (SSE-KMS)#

Bucket Policy

{
    "Version": "2012-10-17",
    "Id": "PutObjectPolicy",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        },
        {
            "Sid": "RequireKMSEncryption",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
            "Condition": {
                "StringNotLikeIfExists": {
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "{{aws-kms-key}}"
                }
            }
        },
        {
            "Sid": "DenyUnencryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{{sse-kms-encrypted-bucket}}/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}
  1. Upload a test file.

    aws s3 cp privacera_aws.sh s3://{{sse-kms-encrypted-bucket}}/
    

Server-Side Encryption with Customer-Provided Keys (SSE-C)#

Supported APIs for SSE-C Encryption:

  • PUT Object
  • PUT Object - Copy
  • POST Object
  • Initiate Multipart Upload
  • Upload Part
  • Upload Part - Copy
  • Complete Multipart Upload
  • Get Object
  • Head Object

  • Update the privacera_aws_config.json file with bucket and SSE-C encryption key.

    • Run AWS S3 upload.

      aws s3 cp myfile.txt s3://{{sse-c-encrypted-bucket}}/
      
    • Run head-object.

      aws s3api head-object --bucket {{sse-c-encrypted-bucket}} --key myfile.txt
      

Sample Keys:

Key Value
AES256-bit key E1AC89EFB167B29ECC15FF75CC5C2C3A
Base64-encoded encryption key (sseKey) echo -n "E1AC89EFB167B29ECC15FF75CC5C2C3A" | openssl enc -base64
Base64-encoded 128-bit MD5 digest of the encryption key echo -n "E1AC89EFB167B29ECC15FF75CC5C2C3A" | openssl dgst -md5 -binary | openssl enc -base64