1. Home
  2. Training Library
  3. Amazon Web Services
  4. Courses
  5. Understanding S3 encryption mechanisms to secure your data

Server-Side Encryption with KMS Managed Keys (SSE-KMS)

The course is part of these learning paths

Solutions Architect – Professional Certification Preparation for AWS
course-steps
48
certification
7
lab-steps
19
quiz-steps
4
description
2
SysOps Administrator – Associate Certification Preparation for AWS
course-steps
32
certification
5
lab-steps
30
quiz-steps
4
description
5
Certified Developer – Associate Certification Preparation for AWS
course-steps
30
certification
6
lab-steps
22
description
2
Security - Specialty Certification Preparation for AWS
course-steps
23
certification
2
lab-steps
12
quiz-steps
4
AWS Access & Key Management Security
course-steps
6
certification
2
lab-steps
2
quiz-steps
2
more_horizSee 4 more
play-arrow
Start course
Overview
DifficultyAdvanced
Duration12m
Students5392
Ratings
4.9/5
starstarstarstarstar-half

Description

Course Description

We have all seen in the media numerous occurrences whereby large international organizations have had their data exposed and leaked that had been stored on S3.  Any sensitive data stored in the cloud MUST be encrypted, and when storing your data on S3 there are multiple different options that you can choose from to enable you to protect your data with encryption.  To help you understand these mechanisms, this course will guide you through the process of how each of them works, not just from an encryption perspective but also at a decryption level.  This will allow you to make the right choice when it comes to selecting the most appropriate method of encryption to align with your own internal security strategy.

Applying encryption is a simple task and it can protect you and your customers from data exposure should a malicious user gain access to your S3 buckets.

Learning Objectives

By the end of this course series you will be able to explain the encryption and decryption process for:

  • Server-Side Encryption with S3 Managed Keys (SSE-S3)
  • Server-Side Encryption with KMS Managed Keys (SSE-KMS)
  • Server-Side Encryption with Customer Provided Keys (SSE-C)
  • Client-Side Encryption with KMS Managed Keys (CSE-KMS)
  • Client-Side Encryption with Customer Provided Keys (CSE-C)

Intended Audience

This course is intended for those who have a responsibility of storing, managing and protecting data that is stored on Amazon S3. 

Prerequisites

This is an advanced level course and so it is essential that you have an understanding of S3 and that you have the knowledge to enable you to upload and retrieve data along with how to select different encryption options.

In addition to this, you must also be familiar with the KMS service and understand both CMKs and Data encryption keys.  

This course includes

7 lectures

Feedback

If you have thoughts or suggestions for this course, please contact Cloud Academy at support@cloudacademy.com.

Transcript

Transcript

Server-Side Encryption with KMS managed keys, SSE-KMS. The encryption process is as follows. Firstly, a client uploads object data to S3. S3 then requests data keys from a KMS-CMK. Using the specified CMK, KMS generates two data keys, a plain text data key and an encrypted version of the same data key. These two keys are then sent back to S3. S3 then combines the object data and the plain text data key to perform the encryption. This creates an encrypted version of the object data which is then stored on S3 along with the encrypted data key. The plain text data key is then removed from memory. The decryption process is as follows. A request is made by the client to S3 to retrieve the object data. S3 sends the associated encrypted data key of the object data to KMS. KMS then uses the correct CMK with the encrypted data key to decrypt it and create a plain text data key. This plain text data key is then sent back to S3. The plain text data key is then combined with the encrypted object data to decrypt it. This decrypted object data is then sent back to the client.

About the Author
Students114877
Labs1
Courses96
Learning paths64

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 90+ courses relating to Cloud reaching over 100,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.