- [Instructor] Hello, and welcome to this Cloud Bites course where I shall focus on the different encryption mechanisms that can be used within S3. For this course, it is essential that you have an understanding of S3 and have the knowledge to enable you to upload and retrieve data, along with how to select different encryption options. In addition to this, you must also be familiar with the KMS service and understand both CMK's and data encryption keys. Depending on your requirements, one method of encryption may be more appropriate than another. To help you decide, here is a quick overview of each. Server-Side Encryption with S3 managed keys, SSE-S3. This option requires minimal configuration and all management of encryption keys used are managed by AWS. All you need to do is to upload your data and S3 will handle all other aspects. Server-Side Encryption with KMS managed keys, SSE-KMS. This method allows S3 to use the Key Management Service to generate your data encryption keys. KMS gives you a far greater flexibility of how your keys are managed. For example, you are able to disable, rotate, and apply access controls to the CMK and audit it against the usage using AWS Cloud Trail. Server-Side Encryption with Customer provided keys, SSE-C. 

This option gives you the opportunity to provide your own master key that you may ought to be using outside of AWS. Your customer provided key will then be sent with your data to S3, where S3 would then perform the encryption for you. Client-Side Encryption with KMS, CSE-KMS. Similarly to SSE-KMS, this also uses the Key Management Service to generate your data encryption keys. However, this time KMS is called upon via the client, not S3. The encryption then takes place client-side, and the encrypted data is then sent to S3 to be stored. Client-Side Encryption with Customer provided keys, CSE-C. Using this mechanism, you are able to utilize your own provided keys and use an AWS SDK Client to encrypt your data before sending it to S3 for storage. Okay, that has given us a very high level overview of the five different methods. Via a series of diagrams, I will now explain how the encryption and decryption process works for each. Server-Side Encryption with S3 Managed Keys, SSE-S3. The encryption process is as follows. Firstly, a client uploads object data to S3. S3 then takes this object data and encrypts it with an S3 plaintext data key. This creates an encrypted version of the object data, which is then saved and stored on S3. Next, the S3 plaintext data key is encrypted with an S3 master key, which creates an encrypted S3 data key. This encrypted data key is then also stored on S3 and the plaintext data key is removed from memory. The decryption process is as follows. A request is made by the client to S3 to retrieve the object data. S3 takes the associated encrypted S3 data key of the object data and decrypts it with the S3 master key. The S3 plaintext data key is then used to decrypt the object data. This object data is then sent back to the client. 

Server-Side Encryption with KMS managed keys, SSE-KMS. The encryption process is as follows. Firstly, a client uploads object data to S3. S3 then requests data keys from a KMS CMK. Using the specified CMK, KMS generates two data keys, a plaintext data key and an encrypted version of the same data key. These two keys are then sent back to S3. S3 then combines the object data and the plaintext data key to perform the encryption. This creates an encrypted version of the object data, which is then stored on S3, along with the encrypted data key. The plaintext data key is then removed from memory. The decryption process is as follows. A request is made by the client to S3 to retrieve the object data. S3 sends the associated encrypted data key of the object data to KMS. KMS then uses the correct CMK with the encrypted data key to decrypt it and create a plaintext data key. This plaintext data key is then sent back to S3. The plaintext data key is then combined with the encrypted object data to decrypt it. This decrypted object data is then sent back to the client. Server-Side Encryption with Customer Provided Keys, SSE-C. The encryption process is as follows. Firstly, a client uploads object data and the customer provided key to S3 via HTTPS. It will only work with a HTTPS connection. Otherwise, S3 will reject it. S3 will then use the customer provided key to encrypt the object data. S3 will also create a salted HMAC value of the customer provided key for future validation requests. The encrypted object data, along with the HMAC value of the customer key is then saved and stored on S3. The customer provided key is then removed from memory. The decryption process is as follows. A request is made by the client via HTTPS connection to S3 to retrieve the object data. At the same time, the customer provided key is also sent with the request. S3 uses the HMAC value of the same key to confirm its validity of the requested object. The customer provided key is then used to decrypt the encrypted object data. The object data is then sent back to the client. Client-Side Encryption with KMS Managed Keys, CSE-KMS. The encryption process is as follows. Using an AWS SDK such as the Java Client, a request is made to KMS for data keys that are generated from a specific CMK. This CMK is defined by providing the CMK ID in the request. 

KMS will then generate two data keys from the specified CMK. One key will be a plaintext data key. The second will be a cipher blob of the same data key. Both keys are then sent back to the client. The client will then combine the object data with the plaintext data key to create an encrypted version of the object data. The client then uploads both the encrypted object data and the cipher blob version of the data key to S3. S3 will then store the encrypted object data and associate the cipher blob data key as metadata of the encrypted object data. The decryption process is as follows. A request is made by the client to S3 to retrieve the object data. S3 sends both the encrypted object data and the cipher blob back to the client. Using an AWS SDK such as the Java Client, the cipher blob data key is sent to KMS. KMS combines the cipher blob data key with the corresponding CMK to produce the plaintext data key. This plaintext data key is then sent back to the client and the plaintext data key is then used to decrypt the encrypted object data. Client-Side Encryption with Customer Provided Keys, CSE-C. The encryption process is as follows. Using an AWS SDK such as the Java Client, it will randomly generate a plaintext data key, which is used to encrypt the object data. The customer provided CMK is then used to encrypt this client-generated data key. The encrypted object data and encrypted data key are then sent to S3. S3 will then store the encrypted object data and associate the encrypted data key as metadata of the encrypted object data. The decryption process is as follows. A request is made by the client to S3 to retrieve the object data. S3 sends both the encrypted object data and the encrypted data key back to the client. The customer provided CMK is then used to decrypt the encrypted data key. The plaintext data key is then used to decrypt the object data. That has now brought us to the end of this Cloud Bites course covering the different Amazon S3 encryption mechanisms that are available. If you have any feedback on this course, positive or negative, please do leave a comment on the course landing page. We do look at the comments, and your feedback is greatly appreciated. Thank you for your time and good luck with your continued learning of Cloud computing. Thank you.