1. Encrypting S3 Objects Using SSE-KMS

Enforcing S3 Encryption Using Bucket Policies

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Learning important Key Management Service (KMS) terms
lock
Creating a Customer Master Key (CMK)
lock
Encrypting S3 Data using Server-Side Encryption with KMS Managed Keys (SSE-KMS)
lock
Enforcing S3 Encryption Using Bucket Policies
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

While it is useful to know how to encrypt individual objects using S3 it is often also required to enforce that all objects are encrypted in S3. Furthermore, you may require a specific encryption method and, when using SSE-KMS, a specific CMK. S3 bucket policies are the provided way for you to enforce encryption requirements of S3 buckets. You will implement a bucket policy that requires SSE-KMS to be used for all objects put in the bucket as well as the specific CMK to use for encryption.

Note: The policy should be enforced when the bucket is created since existing objects in a bucket will not be encrypted when the policy is applied (this is also true of setting the default encryption for a bucket).

 

Instructions

1. In the S3 bucket console, click the Permissions tab followed by Bucket Policy to open the Bucket policy editor:

Bucket policies are IAM policies applied to a bucket rather than to a user or role as is conventionally done with IAM policies. Similar to how a key policy applied to the CMK. These are examples of resource-based policies in AWS.

 

2. Paste the following bucket policy into the policy editor:

Copy code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
    "Version": "2012-10-17",
    "Id": "RequireSSEKMS",
    "Statement": [
        {
            "Sid": "DenyUploadIfNotSSEKMSEncrypted",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<Your_Bucket_Name>/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        }
    ]
}

This policy denies ("Effect": "Deny") all users' ("Principal": "*") uploads ("Action": "s3:PutObject") to the bucket ("Resource": "arn:aws:s3:::<Your_Bucket_Name>/*") if the s3:x-amz-server-side-encryption is not set to aws:kms, which corresponds to SSE-KMS. The lab provides you with the policy but you could recreate it using the policy generator linked to beneath the policy editor.

 

3. Replace <Your_Bucket_Name> with the name of your lab bucket (it begins with cloudacademylabs-ssekms- and can be copied from the S3 console):

alt

 

4. Click Save changes to save the policy and have it start being enforced.

 

5. Click the Objects tab followed by Upload.

 

6. Click Add files and select a small file, or download this sample file and select it.

 

7. Click Upload and observe the image does not appear in the bucket contents table.

Clicking upload without configuring any properties of the object uses the default of no encryption.

alt

You can see the upload Failed. 

 

8. Retry the upload but this time use the Set properties step to configure Encryption to AWS KMS master-key using your CMK.

The upload now succeeds since the bucket policy condition is satisfied:

alt

The policy does not require the use of your CMK however, so the default S3 KMS key in the region is also allowed. You can change the policy condition to enforce a specific CMK is used.

 

Summary 

In this lab step, you configured an S3 bucket policy to require SSE-KMS encryption of any new objects uploaded to the bucket. Currently, clients are required to explicitly configure the SSE-KMS properties of the object. If you prefer to automatically set the SSE-KMS properties, you can set the bucket's default encryption properties accordingly. If a client tries to override the default encryption to use a different encryption method (unencrypted or SSE-S3) the upload will fail.

 

Challenge (Optional)

If you have time remaining in your lab session and you have already passed the validation check, try to modify the policy so that only a specific CMK can be used to upload objects to the lab bucket. Use this quote from AWS documentation to assist you:

To require that a particular AWS KMS CMK be used to encrypt the objects in a bucket, you can use the s3:x-amz-server-side-encryption-aws-kms-key-id condition key. To specify the AWS KMS CMK, you must use a key Amazon Resource Name (ARN) that is in the "arn:aws:kms:region:acct-id:key/key-id" format.

 

 

Solution to Challenge

Copy code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
    "Version": "2012-10-17",
    "Id": "RequireSSEKMSWithSpecificCMK",
    "Statement": [
        {
            "Sid": "DenyIfNotSpecificCMK",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<Your_Bucket_Name>/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-west-2:<Lab_Account_ID>:key/calabs-CMK-key"
                }
            }
        }
    ]
}

The CMK ARN can be found in the Customer Managed Keys view in the KMS Console. An example of a CMK ARN is arn:aws:kms:us-west-2:123456789012:key/bee0cfa3-b5ab-48cd-846e-263f0becba1c.

Validation checks
1Checks
Bucket Policy Applied to S3 Bucket

Check if the policy has been applied to the S3 bucket

Security for AWSAmazon Simple Storage Service (S3)

AWS Security, Identity & Compliance

0%
LP Introduction: AWS Security, Identity & Compliance
How AWS IAM is Used to Securely Manage Access
Managing User Identities with Long Term Credentials in AWS IAM
Managing Access using IAM User Groups & Roles
Using IAM Policies to Define and Manage Permissions
Knowledge Check: Overview of AWS Identity and Access Management (IAM)
Introduction to IAM
Advanced Roles and Groups Management Using IAM
Implementing Cross-Account Access Using IAM
Securing AWS Organizations with Service Control Policies (SCPs)
Understanding Amazon GuardDuty
Managing Findings from Multiple Accounts Using Amazon GuardDuty
Detecting EC2 Threats with Amazon GuardDuty
Enforcing Compliance & Security Controls with Amazon Macie
Configuring Multiple AWS Accounts with Amazon Macie to Protect PII Data in S3
How to Share Resources Across Multiple Accounts Using AWS Resource Access Manager
How to Use KMS Key Encryption to Protect Your Data
How to Share CMKs Across Multiple Accounts Using AWS KMS
Using Amazon Key Management Service to Encrypt S3 and EBS Data
Manage Your Own Encryption Keys Using AWS CloudHSM
Increasing Your Security Posture when Using Amazon S3
Using S3 Bucket Policies and Conditions to Restrict Specific Permissions
Understanding S3 Encryption Mechanisms to Secure your Data
Encrypting S3 Objects Using SSE-KMS
Amazon S3: Data Replication and Bucket Key Encryption
Amazon Inspector
Using AWS Identity Federation to Simplify Access at Scale
Security Best Practices when Working with AWS Databases
Understanding AWS Database Authentication & Access Controls
Sharing Secrets Between Multiple Accounts Using AWS Secrets Manager
Storing and Rotating RDS Credentials in Secrets Manager
Protecting Web Apps with AWS WAF, Shield & Firewall Manager
AWS Security Best Practices: Abstract and Container Services
The Difference Between Authentication, Authorization, and Access Control in AWS
Authorization Controls in AWS
AWS Authentication Mechanisms
Serverless Security: Comparing FaaS to IaaS
Final Exam: Security Services on AWS
Learning Pathnavigation