1. Encrypting S3 Objects Using SSE-KMS

Encrypting S3 Data using Server-Side Encryption with KMS Managed Keys (SSE-KMS)

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Learning important Key Management Service (KMS) terms
lock
Creating a Customer Master Key (CMK)
lock
Encrypting S3 Data using Server-Side Encryption with KMS Managed Keys (SSE-KMS)
lock
Enforcing S3 Encryption Using Bucket Policies
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

With your own CMK created and enabled, you are now able to use it for server-side encryption of data in S3 in the same region as the CMK. This is referred to as server-side encryption with customer master keys (CMKs) stored in AWS Key Management Service, or more simply, SSE-KMS. In SSE-KMS, the CMK generates data keys that S3 uses to encrypt objects. Not only do users need to have access to the S3 bucket and object with SSE-KMS, users must also have permission to use the CMK. In comparison to the other server-side encryption option for S3, server-side encryption with Amazon S3-managed keys (SSE-S3), the user only needs permission to access the object and does not require separate permission to use S3's underlying key. SSE-KMS provides a higher degree of control, although it requires additional charges for the key and for performing operations with the key. SSE-KMS also provides an additional audit trail showing when the CMK was used and by who.

If you do not create your own CMK, S3 can still use an AWS managed KMS CMK that is created by default in your account in the S3 bucket's region. This key is visible in the KMS console under AWS Managed Keys and is named aws/s3. However, because the key is managed by AWS you don't have the same degree of access control over key as you do with a customer managed key.

You will upload a file and encrypt it using SSE-KMS in this lab step.

 

Instructions

1. In the AWS Management Console search bar, enter S3, and click the S3 result under Services:

alt

 

2. Click the name of the bucket the Cloud Academy lab environment created for you (name begins with cloudacademylabs-ssekms):

alt

 

3. Click Upload.

 

4. Click Add files and select a small file, or download this sample file and select it.

 

 

5. Expand the Properties tab and scroll until the Server-side encryption settings.

 

 

6. Check the Specify an encryption key checkbox. 

 

7. Check the AWS Key Management Service key (SSE-KMS) checkbox and then the Choose from your AWS KMS keys checkbox:

alt

 

8. Choose the AWS KMS key you previously generated:

alt

 

9. Click on Upload.

 

10. Click Close and then click the name of the object to open its properties panel: 

alt

You can verify the object is encrypted using SSE-KMS by checking that the Encryption field is AWS-KMS.

 

Summary 

In this lab step, you Encrypted an object in S3 using SSE-KMS. You can also configure SSE-KMS as the default encryption property for all uploaded objects by configuring bucket properties. However, that will not enforce that all objects use SSE-KMS because it can be overridden with each request. You will see how to enforce SSE-KMS encryption in the next lab step.

Validation checks
1Checks
SSE-KMS Encrypted File Exists in S3

Checks if an object in the S3 bucket has been encrypted with SSE-KMS

Encryption for AWSAmazon Simple Storage Service (S3)

AWS Security, Identity & Compliance

0%
LP Introduction: AWS Security, Identity & Compliance
How AWS IAM is Used to Securely Manage Access
Managing User Identities with Long Term Credentials in AWS IAM
Managing Access using IAM User Groups & Roles
Using IAM Policies to Define and Manage Permissions
Knowledge Check: Overview of AWS Identity and Access Management (IAM)
Introduction to IAM
Advanced Roles and Groups Management Using IAM
Implementing Cross-Account Access Using IAM
Securing AWS Organizations with Service Control Policies (SCPs)
Understanding Amazon GuardDuty
Managing Findings from Multiple Accounts Using Amazon GuardDuty
Detecting EC2 Threats with Amazon GuardDuty
Enforcing Compliance & Security Controls with Amazon Macie
Configuring Multiple AWS Accounts with Amazon Macie to Protect PII Data in S3
How to Share Resources Across Multiple Accounts Using AWS Resource Access Manager
How to Use KMS Key Encryption to Protect Your Data
How to Share CMKs Across Multiple Accounts Using AWS KMS
Using Amazon Key Management Service to Encrypt S3 and EBS Data
Manage Your Own Encryption Keys Using AWS CloudHSM
Increasing Your Security Posture when Using Amazon S3
Using S3 Bucket Policies and Conditions to Restrict Specific Permissions
Understanding S3 Encryption Mechanisms to Secure your Data
Encrypting S3 Objects Using SSE-KMS
Amazon S3: Data Replication and Bucket Key Encryption
Amazon Inspector
Using AWS Identity Federation to Simplify Access at Scale
Security Best Practices when Working with AWS Databases
Understanding AWS Database Authentication & Access Controls
Sharing Secrets Between Multiple Accounts Using AWS Secrets Manager
Storing and Rotating RDS Credentials in Secrets Manager
Protecting Web Apps with AWS WAF, Shield & Firewall Manager
AWS Security Best Practices: Abstract and Container Services
The Difference Between Authentication, Authorization, and Access Control in AWS
Authorization Controls in AWS
AWS Authentication Mechanisms
Serverless Security: Comparing FaaS to IaaS
Final Exam: Security Services on AWS
Learning Pathnavigation