Amazon S3 Encrypts New Objects By Default

Voiced by Polly

At AWS, security is a top priority. Starting today, Amazon Simple Storage Service (Amazon S3) encrypts all new objects by default. Now, S3 automatically applies server-side encryption (SSE-S3) for each new object, unless you specify a different encryption option. SSE-S3 was first launched in 2011. As Jeff wrote at the time: “Amazon S3 server-side encryption handles all encryption, decryption and key management in a completely transparent manner. When you set an object, we generate a unique key, encrypt your data with the key, and then encrypt the key with a [root] key.”

This change automatically applies another security best practice – with no performance impact and no action required on your part. S3 buckets that do not use default encryption will now automatically use SSE-S3 as the default. Existing buckets that currently use S3 default encryption are not changed.

As always, you can choose to encrypt your objects using one of the three encryption options we offer: S3 standard encryption (SSE-S3, the new standard), customer-supplied encryption keys (SSE-C), or AWS Key Management Service keys (SSE -KMS). For an additional layer of encryption, you may also be able to encrypt client-side objects using client libraries such as the Amazon S3 encryption client.

Although it was easy to enable, the opt-in nature of SSE-S3 meant you had to make sure it was always configured on new buckets and verify that it remained configured correctly over time. For organizations that require all their objects to remain encrypted at rest with SSE-S3, this update helps meet their encryption compliance requirements without additional tools or client configuration changes.

With today’s announcement, we’ve now made it “zero click” for you to apply this basic level of encryption to every S3 bucket.

Verify that your objects are encrypted
The change is visible today in the AWS CloudTrail data event logs. You’ll see the changes in the S3 section of the AWS Management Console, Amazon S3 Inventory, Amazon S3 Storage Lens, and as an additional header in the AWS CLI and in the AWS SDKs over the next few weeks. We will update this blog post and documentation when the encryption status is available in these tools in all AWS Regions.

To verify that the change is effective on your buckets today, you can configure CloudTrail to log data events. By default, paths do not log data events, and there is an additional cost to enable it. Data events show the resource actions performed on or within a resource, such as when a user uploads a file to an S3 bucket. You can log data events for Amazon S3 buckets, AWS Lambda functions, Amazon DynamoDB tables, or a combination of these.

Once enabled, search for PutObject API for file upload or InitiateMultipartUpload for multipart uploads. When Amazon S3 automatically encrypts an object using the default encryption settings, the log includes the following field as a name-value pair: "SSEApplied":"Default_SSE_S3". Here is an example of a CloudTrail log (with data event logging enabled) when I uploaded a file to one of my buckets using the AWS CLI command aws s3 cp s3://private-sst.

Cloudtrail log to S3 with default encryption enabled

Amazon S3 encryption options
As I wrote earlier, SSE-S3 is now the new base level of encryption when no other encryption type is specified. SSE-S3 uses Advanced Encryption Standard (AES) encryption with 256-bit keys managed by AWS.

You can choose to encrypt your objects using SSE-C or SSE-KMS instead of SSE-S3, either as “one-click” default encryption options on the bucket or for individual objects in PUT requests.

SSE-C lets Amazon S3 perform the encryption and decryption of your objects while you retain control over the keys used to encrypt objects. With SSE-C, you don’t need to implement or use a client-side library to perform encryption and decryption of objects you store in Amazon S3, but you do need to manage the keys you send to Amazon S3 to encrypt and decrypt objects.

With SSE-KMS, AWS Key Management Service (AWS KMS) manages your encryption keys. Using AWS KMS managing your keys offers several additional benefits. With AWS KMSare there separate permits for the use of KMS key that provides an additional layer of control as well as protection against unauthorized access to your objects stored in Amazon S3. AWS KMS provides an audit trail so you can see who used your key to access which object and when, as well as see failed attempts to access data by users without permission to decrypt the data.

When you use an encryption client library, such as the Amazon S3 encryption client, you retain control of the keys and complete encryption and decryption of client-side objects using an encryption library of your choice. You encrypt the objects before sending them to Amazon S3 for storage. Java, .Net, Ruby, PHP, Go, and C++ AWS SDKs support client-side encryption.

You can follow the instructions in this blog post if you want to retroactively encrypt existing objects in your buckets.

Available now
This change is effective now in all AWS regions, including on AWS GovCloud (US) and AWS China regions. There is no additional cost for default object-level encryption.

— seb


Leave a Reply

Your email address will not be published. Required fields are marked *