SlideShare a Scribd company logo
1 of 10
AWS S3 Security Considerations
Omid Vahdaty, Big Data ninja
Concepts
● protecting data while
○ in-transit (as it travels to and from Amazon S3) , 2 ways:
■ by using SSL
■ client-side encryption.
○ at rest (while it is stored on disks in Amazon S3 data centers) 2 ways:
■ Server Side encryption. (SSE)
■ client-side encryption.
Encryption Types
● Server Side
○ encrypt your object before saving it on S3 disks
○ decrypt it when you download the objects from S3.
● Client Side
○ Client-side encryption refers to encrypting data before sending it to Amazon S3
■ Use an AWS KMS-managed customer master key
■ Use a client-side master key
■ Disadvantage: Less matching the AWS ecosystem. You need to manage keys.
Client side master key
● Your client-side master keys and your unencrypted data are never sent to AWS
● manage your own encryption keys
● If you lose them, you won't be able to decrypt your data.
● When uploading an object
○ You provide a client-side master key to the Amazon S3 encryption client
○ for each object,encryption client locally generates a one-time-use symmetric key
○ The client uploads the encrypted data key and its material description as part of the object metadata
○ The material description helps the client later determine which client-side master key to use for decryption
○ The client then uploads the encrypted data to Amazon S3 and also saves the encrypted data key as object
metadata
● When downloading an object
○ The client first downloads the encrypted object from Amazon S3 along with the metadata
○ Using the material description in the metadata, the client first determines which master key to use to decrypt
○ the encrypted data key.
Client Side KMS–Managed Customer Master
Key (CMK)
● you provide only an AWS KMS customer master key ID (CMK ID)
● you don't have to worry about providing any encryption keys to the Amazon S3 encryption client (for example, the
AmazonS3EncryptionClient in the AWS SDK for Java). 2options
○ A plain text version
○ A cipher blob
● unique data encryption key for each object it uploads.
Server Side Encryption (SSE)
● Server-side encryption is about data encryption at rest
○ Amazon S3 encrypts your data at the object level as it writes it to disks
○ decrypts it for you when you access it.
○ As long as you authenticate your request and you have access permissions
○ You can't apply different types of server-side encryption to the same object simultaneously.
● 3 methods
○ Server-Side Encryption with Customer-Provided Keys (SSE-C)
■ You manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and
decryption, when you access your objects
○ S3-Managed Keys (SSE-S3)
○ AWS KMS-Managed Keys (SSE-KMS)
S3-Managed Keys (SSE-S3)
● Each object is encrypted with a unique key employing strong multi-factor encryption
● it encrypts the key itself with a master key that it regularly rotates
● 256-bit Advanced Encryption Standard (AES-256), to encrypt
AWS KMS-Managed Keys (SSE-KMS)
● Similar to SSE-S3
● There are separate permissions for the use of an envelope key (that is, a key that protects your data's encryption
key)
● provides you with an audit trail of when your key was used and by whom
● you have the option to create and manage encryption keys yourself, or use a default key that is unique to you, the
service you're using, and the region you're working in.
Additional Safeguards
1. VPN (site to site)
2. Identity
3. IP ACL
4. Write Only permissions.
Security Diagram
Destination
AWS S3
Source
Datacenter
(secured)
Data in Transit
Client side encryption
or
HTTPS / SSL
Data at Rest
(Server/Client side encryption)

More Related Content

What's hot

30분만에 만드는 AWS 기반 빅데이터 분석 애플리케이션::안효빈::AWS Summit Seoul 2018
30분만에 만드는 AWS 기반 빅데이터 분석 애플리케이션::안효빈::AWS Summit Seoul 201830분만에 만드는 AWS 기반 빅데이터 분석 애플리케이션::안효빈::AWS Summit Seoul 2018
30분만에 만드는 AWS 기반 빅데이터 분석 애플리케이션::안효빈::AWS Summit Seoul 2018
Amazon Web Services Korea
 
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
Simplilearn
 

What's hot (20)

AWS IAM and security
AWS IAM and securityAWS IAM and security
AWS IAM and security
 
Deep Dive on Amazon S3
Deep Dive on Amazon S3Deep Dive on Amazon S3
Deep Dive on Amazon S3
 
Object Storage: Amazon S3 and Amazon Glacier
Object Storage: Amazon S3 and Amazon GlacierObject Storage: Amazon S3 and Amazon Glacier
Object Storage: Amazon S3 and Amazon Glacier
 
AWS Storage Services - AWS Presentation - AWS Cloud Storage for the Enterpris...
AWS Storage Services - AWS Presentation - AWS Cloud Storage for the Enterpris...AWS Storage Services - AWS Presentation - AWS Cloud Storage for the Enterpris...
AWS Storage Services - AWS Presentation - AWS Cloud Storage for the Enterpris...
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
Deep Dive on Amazon S3 - AWS Online Tech Talks
Deep Dive on Amazon S3 - AWS Online Tech TalksDeep Dive on Amazon S3 - AWS Online Tech Talks
Deep Dive on Amazon S3 - AWS Online Tech Talks
 
Internal Architecture of Amazon Aurora (Level 400) - 발표자: 정달영, APAC RDS Speci...
Internal Architecture of Amazon Aurora (Level 400) - 발표자: 정달영, APAC RDS Speci...Internal Architecture of Amazon Aurora (Level 400) - 발표자: 정달영, APAC RDS Speci...
Internal Architecture of Amazon Aurora (Level 400) - 발표자: 정달영, APAC RDS Speci...
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
AWS S3 Tutorial For Beginners | Edureka
AWS S3 Tutorial For Beginners | EdurekaAWS S3 Tutorial For Beginners | Edureka
AWS S3 Tutorial For Beginners | Edureka
 
30분만에 만드는 AWS 기반 빅데이터 분석 애플리케이션::안효빈::AWS Summit Seoul 2018
30분만에 만드는 AWS 기반 빅데이터 분석 애플리케이션::안효빈::AWS Summit Seoul 201830분만에 만드는 AWS 기반 빅데이터 분석 애플리케이션::안효빈::AWS Summit Seoul 2018
30분만에 만드는 AWS 기반 빅데이터 분석 애플리케이션::안효빈::AWS Summit Seoul 2018
 
AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...
AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...
AWS re:Invent 2016: Workshop: AWS S3 Deep-Dive Hands-On Workshop: Deploying a...
 
(STG401) Amazon S3 Deep Dive & Best Practices
(STG401) Amazon S3 Deep Dive & Best Practices(STG401) Amazon S3 Deep Dive & Best Practices
(STG401) Amazon S3 Deep Dive & Best Practices
 
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
 
[NEW LAUNCH!] Introduction to AWS Global Accelerator (NET330) - AWS re:Invent...
[NEW LAUNCH!] Introduction to AWS Global Accelerator (NET330) - AWS re:Invent...[NEW LAUNCH!] Introduction to AWS Global Accelerator (NET330) - AWS re:Invent...
[NEW LAUNCH!] Introduction to AWS Global Accelerator (NET330) - AWS re:Invent...
 
Storage with Amazon S3 and Amazon Glacier
Storage with Amazon S3 and Amazon GlacierStorage with Amazon S3 and Amazon Glacier
Storage with Amazon S3 and Amazon Glacier
 
Aws101
Aws101Aws101
Aws101
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc Version
 
Fundamentals of Cloud Computing & AWS
Fundamentals of Cloud Computing & AWSFundamentals of Cloud Computing & AWS
Fundamentals of Cloud Computing & AWS
 
Introduction to Amazon S3
Introduction to Amazon S3Introduction to Amazon S3
Introduction to Amazon S3
 

Similar to Aws s3 security

Similar to Aws s3 security (20)

Amazon S3 Server-Side Encryption with S3-Managed Keys – SSE-S3.pptx
Amazon S3 Server-Side Encryption with S3-Managed Keys – SSE-S3.pptxAmazon S3 Server-Side Encryption with S3-Managed Keys – SSE-S3.pptx
Amazon S3 Server-Side Encryption with S3-Managed Keys – SSE-S3.pptx
 
Protect your Data on AWS using the Encryption method.pdf
Protect your Data on AWS using the Encryption method.pdfProtect your Data on AWS using the Encryption method.pdf
Protect your Data on AWS using the Encryption method.pdf
 
Using encryption with_aws
Using encryption with_awsUsing encryption with_aws
Using encryption with_aws
 
Crypto Options in AWS
Crypto Options in AWSCrypto Options in AWS
Crypto Options in AWS
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
AWS Key Management
AWS Key ManagementAWS Key Management
AWS Key Management
 
Crypto Options in AWS
Crypto Options in AWSCrypto Options in AWS
Crypto Options in AWS
 
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS SummitData protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
 
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014
 
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Encryption and Key Management in AWS
Encryption and Key Management in AWS Encryption and Key Management in AWS
Encryption and Key Management in AWS
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWS
 
Big data security in AWS.pptx
Big data security in AWS.pptxBig data security in AWS.pptx
Big data security in AWS.pptx
 
Aws securing data_at_rest_with_encryption (1)
Aws securing data_at_rest_with_encryption (1)Aws securing data_at_rest_with_encryption (1)
Aws securing data_at_rest_with_encryption (1)
 
AWS Big Data Demystified #4 data governance demystified [security, networ...
AWS Big Data Demystified #4   data governance demystified   [security, networ...AWS Big Data Demystified #4   data governance demystified   [security, networ...
AWS Big Data Demystified #4 data governance demystified [security, networ...
 
Crypto-Options on AWS | Security Roadshow Dublin
Crypto-Options on AWS | Security Roadshow DublinCrypto-Options on AWS | Security Roadshow Dublin
Crypto-Options on AWS | Security Roadshow Dublin
 
AWS re:Invent 2016: AWS Partners and Data Privacy (GPST303)
AWS re:Invent 2016: AWS Partners and Data Privacy (GPST303)AWS re:Invent 2016: AWS Partners and Data Privacy (GPST303)
AWS re:Invent 2016: AWS Partners and Data Privacy (GPST303)
 

More from Omid Vahdaty

Big Data in 200 km/h | AWS Big Data Demystified #1.3
Big Data in 200 km/h | AWS Big Data Demystified #1.3  Big Data in 200 km/h | AWS Big Data Demystified #1.3
Big Data in 200 km/h | AWS Big Data Demystified #1.3
Omid Vahdaty
 
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
Omid Vahdaty
 

More from Omid Vahdaty (20)

Data Pipline Observability meetup
Data Pipline Observability meetup Data Pipline Observability meetup
Data Pipline Observability meetup
 
Couchbase Data Platform | Big Data Demystified
Couchbase Data Platform | Big Data DemystifiedCouchbase Data Platform | Big Data Demystified
Couchbase Data Platform | Big Data Demystified
 
Machine Learning Essentials Demystified part2 | Big Data Demystified
Machine Learning Essentials Demystified part2 | Big Data DemystifiedMachine Learning Essentials Demystified part2 | Big Data Demystified
Machine Learning Essentials Demystified part2 | Big Data Demystified
 
Machine Learning Essentials Demystified part1 | Big Data Demystified
Machine Learning Essentials Demystified part1 | Big Data DemystifiedMachine Learning Essentials Demystified part1 | Big Data Demystified
Machine Learning Essentials Demystified part1 | Big Data Demystified
 
The technology of fake news between a new front and a new frontier | Big Dat...
The technology of fake news  between a new front and a new frontier | Big Dat...The technology of fake news  between a new front and a new frontier | Big Dat...
The technology of fake news between a new front and a new frontier | Big Dat...
 
Big Data in 200 km/h | AWS Big Data Demystified #1.3
Big Data in 200 km/h | AWS Big Data Demystified #1.3  Big Data in 200 km/h | AWS Big Data Demystified #1.3
Big Data in 200 km/h | AWS Big Data Demystified #1.3
 
Making your analytics talk business | Big Data Demystified
Making your analytics talk business | Big Data DemystifiedMaking your analytics talk business | Big Data Demystified
Making your analytics talk business | Big Data Demystified
 
BI STRATEGY FROM A BIRD'S EYE VIEW (How to become a trusted advisor) | Omri H...
BI STRATEGY FROM A BIRD'S EYE VIEW (How to become a trusted advisor) | Omri H...BI STRATEGY FROM A BIRD'S EYE VIEW (How to become a trusted advisor) | Omri H...
BI STRATEGY FROM A BIRD'S EYE VIEW (How to become a trusted advisor) | Omri H...
 
AI and Big Data in Health Sector Opportunities and challenges | Big Data Demy...
AI and Big Data in Health Sector Opportunities and challenges | Big Data Demy...AI and Big Data in Health Sector Opportunities and challenges | Big Data Demy...
AI and Big Data in Health Sector Opportunities and challenges | Big Data Demy...
 
Aerospike meetup july 2019 | Big Data Demystified
Aerospike meetup july 2019 | Big Data DemystifiedAerospike meetup july 2019 | Big Data Demystified
Aerospike meetup july 2019 | Big Data Demystified
 
ALIGNING YOUR BI OPERATIONS WITH YOUR CUSTOMERS' UNSPOKEN NEEDS, by Eyal Stei...
ALIGNING YOUR BI OPERATIONS WITH YOUR CUSTOMERS' UNSPOKEN NEEDS, by Eyal Stei...ALIGNING YOUR BI OPERATIONS WITH YOUR CUSTOMERS' UNSPOKEN NEEDS, by Eyal Stei...
ALIGNING YOUR BI OPERATIONS WITH YOUR CUSTOMERS' UNSPOKEN NEEDS, by Eyal Stei...
 
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
 
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | English
AWS big-data-demystified #1.1  | Big Data Architecture Lessons Learned | EnglishAWS big-data-demystified #1.1  | Big Data Architecture Lessons Learned | English
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | English
 
AWS Big Data Demystified #3 | Zeppelin + spark sql, jdbc + thrift, ganglia, r...
AWS Big Data Demystified #3 | Zeppelin + spark sql, jdbc + thrift, ganglia, r...AWS Big Data Demystified #3 | Zeppelin + spark sql, jdbc + thrift, ganglia, r...
AWS Big Data Demystified #3 | Zeppelin + spark sql, jdbc + thrift, ganglia, r...
 
AWS Big Data Demystified #2 | Athena, Spectrum, Emr, Hive
AWS Big Data Demystified #2 |  Athena, Spectrum, Emr, Hive AWS Big Data Demystified #2 |  Athena, Spectrum, Emr, Hive
AWS Big Data Demystified #2 | Athena, Spectrum, Emr, Hive
 
Amazon aws big data demystified | Introduction to streaming and messaging flu...
Amazon aws big data demystified | Introduction to streaming and messaging flu...Amazon aws big data demystified | Introduction to streaming and messaging flu...
Amazon aws big data demystified | Introduction to streaming and messaging flu...
 
AWS Big Data Demystified #1: Big data architecture lessons learned
AWS Big Data Demystified #1: Big data architecture lessons learned AWS Big Data Demystified #1: Big data architecture lessons learned
AWS Big Data Demystified #1: Big data architecture lessons learned
 
Emr spark tuning demystified
Emr spark tuning demystifiedEmr spark tuning demystified
Emr spark tuning demystified
 
Emr zeppelin & Livy demystified
Emr zeppelin & Livy demystifiedEmr zeppelin & Livy demystified
Emr zeppelin & Livy demystified
 
Zeppelin and spark sql demystified
Zeppelin and spark sql demystifiedZeppelin and spark sql demystified
Zeppelin and spark sql demystified
 

Recently uploaded

Recently uploaded (20)

Christmas Palm Trees in Florida The Ultimate Guide to Festive Landscaping wit...
Christmas Palm Trees in Florida The Ultimate Guide to Festive Landscaping wit...Christmas Palm Trees in Florida The Ultimate Guide to Festive Landscaping wit...
Christmas Palm Trees in Florida The Ultimate Guide to Festive Landscaping wit...
 
Laplace Transforms.pptxhhhhhhhhhhhhhhhhh
Laplace Transforms.pptxhhhhhhhhhhhhhhhhhLaplace Transforms.pptxhhhhhhhhhhhhhhhhh
Laplace Transforms.pptxhhhhhhhhhhhhhhhhh
 
slidesgo-maximizing-sustainability-the-case-for-plastic-reuse
slidesgo-maximizing-sustainability-the-case-for-plastic-reuseslidesgo-maximizing-sustainability-the-case-for-plastic-reuse
slidesgo-maximizing-sustainability-the-case-for-plastic-reuse
 
A Wide Range of Eco System Services with Mangroves
A Wide Range of Eco System Services with MangrovesA Wide Range of Eco System Services with Mangroves
A Wide Range of Eco System Services with Mangroves
 
Palynology: History, branches, basic principles and application, collection o...
Palynology: History, branches, basic principles and application, collection o...Palynology: History, branches, basic principles and application, collection o...
Palynology: History, branches, basic principles and application, collection o...
 
Peat land Restoration Project in HLG Londerang
Peat land Restoration Project in HLG LonderangPeat land Restoration Project in HLG Londerang
Peat land Restoration Project in HLG Londerang
 
Global warming, Types, Causes and Effects.
Global warming, Types, Causes and Effects.Global warming, Types, Causes and Effects.
Global warming, Types, Causes and Effects.
 
Young & Hot ℂall Girls Hyderabad 8250077686 WhatsApp Number Best Rates of Hyd...
Young & Hot ℂall Girls Hyderabad 8250077686 WhatsApp Number Best Rates of Hyd...Young & Hot ℂall Girls Hyderabad 8250077686 WhatsApp Number Best Rates of Hyd...
Young & Hot ℂall Girls Hyderabad 8250077686 WhatsApp Number Best Rates of Hyd...
 
Rising temperatures also mean that more plant pests are appearing earlier and...
Rising temperatures also mean that more plant pests are appearing earlier and...Rising temperatures also mean that more plant pests are appearing earlier and...
Rising temperatures also mean that more plant pests are appearing earlier and...
 
A Review on Integrated River Basin Management and Development Master Plan of ...
A Review on Integrated River Basin Management and Development Master Plan of ...A Review on Integrated River Basin Management and Development Master Plan of ...
A Review on Integrated River Basin Management and Development Master Plan of ...
 
Presentation on GLOBALISATION IN MBA sem
Presentation on GLOBALISATION IN MBA semPresentation on GLOBALISATION IN MBA sem
Presentation on GLOBALISATION IN MBA sem
 
Coastal and mangrove vulnerability assessment In the Northern Coast of Java, ...
Coastal and mangrove vulnerability assessment In the Northern Coast of Java, ...Coastal and mangrove vulnerability assessment In the Northern Coast of Java, ...
Coastal and mangrove vulnerability assessment In the Northern Coast of Java, ...
 
Introducing Blue Carbon Deck seeking for actionable partnerships
Introducing Blue Carbon Deck seeking for actionable partnershipsIntroducing Blue Carbon Deck seeking for actionable partnerships
Introducing Blue Carbon Deck seeking for actionable partnerships
 
NO1 Pakistan Black magic In Pakistan Kala Ilam Expert Specialist In UK Kala I...
NO1 Pakistan Black magic In Pakistan Kala Ilam Expert Specialist In UK Kala I...NO1 Pakistan Black magic In Pakistan Kala Ilam Expert Specialist In UK Kala I...
NO1 Pakistan Black magic In Pakistan Kala Ilam Expert Specialist In UK Kala I...
 
NO1 Pakistan Black magic/kala jadu,manpasand shadi in lahore,karachi rawalpin...
NO1 Pakistan Black magic/kala jadu,manpasand shadi in lahore,karachi rawalpin...NO1 Pakistan Black magic/kala jadu,manpasand shadi in lahore,karachi rawalpin...
NO1 Pakistan Black magic/kala jadu,manpasand shadi in lahore,karachi rawalpin...
 
Production, dispersal, sedimentation and taphonomy of spores/pollen
Production, dispersal, sedimentation and taphonomy of spores/pollenProduction, dispersal, sedimentation and taphonomy of spores/pollen
Production, dispersal, sedimentation and taphonomy of spores/pollen
 
Carbon Stock Assessment in Banten Province and Demak, Central Java, Indonesia
Carbon Stock Assessment in Banten Province and Demak, Central Java, IndonesiaCarbon Stock Assessment in Banten Province and Demak, Central Java, Indonesia
Carbon Stock Assessment in Banten Province and Demak, Central Java, Indonesia
 
NO1 Pakistan online istikhara for love marriage vashikaran specialist love pr...
NO1 Pakistan online istikhara for love marriage vashikaran specialist love pr...NO1 Pakistan online istikhara for love marriage vashikaran specialist love pr...
NO1 Pakistan online istikhara for love marriage vashikaran specialist love pr...
 
The Key to Sustainable Energy Optimization: A Data-Driven Approach for Manufa...
The Key to Sustainable Energy Optimization: A Data-Driven Approach for Manufa...The Key to Sustainable Energy Optimization: A Data-Driven Approach for Manufa...
The Key to Sustainable Energy Optimization: A Data-Driven Approach for Manufa...
 
CAUSES,EFFECTS,CONTROL OF DEFORESTATION.pptx
CAUSES,EFFECTS,CONTROL OF DEFORESTATION.pptxCAUSES,EFFECTS,CONTROL OF DEFORESTATION.pptx
CAUSES,EFFECTS,CONTROL OF DEFORESTATION.pptx
 

Aws s3 security

  • 1. AWS S3 Security Considerations Omid Vahdaty, Big Data ninja
  • 2. Concepts ● protecting data while ○ in-transit (as it travels to and from Amazon S3) , 2 ways: ■ by using SSL ■ client-side encryption. ○ at rest (while it is stored on disks in Amazon S3 data centers) 2 ways: ■ Server Side encryption. (SSE) ■ client-side encryption.
  • 3. Encryption Types ● Server Side ○ encrypt your object before saving it on S3 disks ○ decrypt it when you download the objects from S3. ● Client Side ○ Client-side encryption refers to encrypting data before sending it to Amazon S3 ■ Use an AWS KMS-managed customer master key ■ Use a client-side master key ■ Disadvantage: Less matching the AWS ecosystem. You need to manage keys.
  • 4. Client side master key ● Your client-side master keys and your unencrypted data are never sent to AWS ● manage your own encryption keys ● If you lose them, you won't be able to decrypt your data. ● When uploading an object ○ You provide a client-side master key to the Amazon S3 encryption client ○ for each object,encryption client locally generates a one-time-use symmetric key ○ The client uploads the encrypted data key and its material description as part of the object metadata ○ The material description helps the client later determine which client-side master key to use for decryption ○ The client then uploads the encrypted data to Amazon S3 and also saves the encrypted data key as object metadata ● When downloading an object ○ The client first downloads the encrypted object from Amazon S3 along with the metadata ○ Using the material description in the metadata, the client first determines which master key to use to decrypt ○ the encrypted data key.
  • 5. Client Side KMS–Managed Customer Master Key (CMK) ● you provide only an AWS KMS customer master key ID (CMK ID) ● you don't have to worry about providing any encryption keys to the Amazon S3 encryption client (for example, the AmazonS3EncryptionClient in the AWS SDK for Java). 2options ○ A plain text version ○ A cipher blob ● unique data encryption key for each object it uploads.
  • 6. Server Side Encryption (SSE) ● Server-side encryption is about data encryption at rest ○ Amazon S3 encrypts your data at the object level as it writes it to disks ○ decrypts it for you when you access it. ○ As long as you authenticate your request and you have access permissions ○ You can't apply different types of server-side encryption to the same object simultaneously. ● 3 methods ○ Server-Side Encryption with Customer-Provided Keys (SSE-C) ■ You manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption, when you access your objects ○ S3-Managed Keys (SSE-S3) ○ AWS KMS-Managed Keys (SSE-KMS)
  • 7. S3-Managed Keys (SSE-S3) ● Each object is encrypted with a unique key employing strong multi-factor encryption ● it encrypts the key itself with a master key that it regularly rotates ● 256-bit Advanced Encryption Standard (AES-256), to encrypt
  • 8. AWS KMS-Managed Keys (SSE-KMS) ● Similar to SSE-S3 ● There are separate permissions for the use of an envelope key (that is, a key that protects your data's encryption key) ● provides you with an audit trail of when your key was used and by whom ● you have the option to create and manage encryption keys yourself, or use a default key that is unique to you, the service you're using, and the region you're working in.
  • 9. Additional Safeguards 1. VPN (site to site) 2. Identity 3. IP ACL 4. Write Only permissions.
  • 10. Security Diagram Destination AWS S3 Source Datacenter (secured) Data in Transit Client side encryption or HTTPS / SSL Data at Rest (Server/Client side encryption)