Today, we feature a guest contribution by AWS Solutions Architect Alex Johnson, focusing on utilizing Amazon S3’s server-side encryption with customer-provided keys. The recent update to version 2.1.4 of the AWS Tools for Windows PowerShell has introduced a new method for server-side encryption in Amazon S3. You now have three main options to secure your data at rest within S3:
- Client-Side Encryption: Secure your sensitive data before uploading it to AWS.
- Built-In Server-Side Encryption (SSE): S3 encrypts your data using AWS keys and processes, while AWS handles the key management.
- Server-Side Encryption with Customer-Provided Keys (SSE-C): This allows you to enjoy the convenience of server-side encryption while maintaining control over your own encryption keys.
This article will guide you through using AWS PowerShell tools to secure your data at rest in S3, specifically focusing on the two methods of server-side encryption: SSE-C and SSE.
Server-Side Encryption with Customer-Provided Keys (SSE-C)
With SSE-C, S3 encrypts your data on your behalf using keys that you supply and manage. Since S3 handles the encryption, you benefit from using your keys without the need to develop or run your own encryption solutions. Note that this encryption method is not accessible through the AWS console.
Protecting Your Keys
S3 discards your key immediately after encrypting or decrypting your object. If you lose your key, you will lose access to your object. Therefore, it is crucial to store your keys safely and securely. If you utilize multiple keys, you must keep track of which key corresponds to each object. You may also want to implement an envelope encryption process, as discussed in the article Client-Side Data Encryption with the AWS SDK for Java and Amazon S3.
Creating Your Key
The following commands utilize the .NET AES class from System.Security.Cryptography to generate a base64 encoded key:
$Aes = New-Object System.Security.Cryptography.AesManaged
$Aes.KeySize = 256
$Aes::GenerateKey
$Base64key = [System.Convert]::ToBase64String($Aes.Key)Writing an Object (SSE-C)
The Write-S3Object cmdlet is employed to store an object in S3, encrypting it at rest with a client-provided key. The key is base64 encoded, and AES256 is specified as the encryption method. After encryption, your key is discarded.
$initialfile = "YourFile"
$bucket = "YourBucketName"
$objectkey = "YourKeyName"
try {
Write-S3Object -Region us-west-2 -File $initialfile -BucketName $bucket -Key $objectkey -ServerSideEncryptionCustomerProvidedKey $Base64key -ServerSideEncryptionCustomerMethod AES256
} catch [system.exception] {
Write-Host "Error: " $_.Exception.Message
}Reading an Object (SSE-C)
To retrieve an encrypted object from S3, use the Read-S3Object cmdlet with the same client-provided key used for encryption. The key must be base64-encoded, and AES256 is the specified encryption method.
$ssecfileout = "YourOutputFile"
$bucket = "YourBucketName"
$objectkey = "YourKeyName"
try {
Read-S3Object -Region us-west-2 -BucketName $bucket -Key $objectkey -File $ssecfileout -ServerSideEncryptionCustomerProvidedKey $Base64key -ServerSideEncryptionCustomerMethod AES256
} catch [system.exception] {
Write-Host "Error: " $_.Exception.Message
}Copying an Object (SSE-C)
Use the Copy-S3Object cmdlet to copy an encrypted object in S3 to a new key. This process requires two keys: one for decrypting the original object and another for encrypting the copy. You can use the same key for both, but it is not mandatory. As always, your keys are discarded after usage.
$bucket = "YourBucketName"
$objectkey = "YourKeyName"
$copyobjectkey = "YourDestinationKeyName"
try {
Copy-S3Object -Region us-west-2 -BucketName $bucket -Key $objectkey -DestinationBucket $bucket -DestinationKey $copyobjectkey -CopySourceServerSideEncryptionCustomerMethod AES256 -CopySourceServerSideEncryptionCustomerProvidedKey $Base64key -ServerSideEncryptionCustomerProvidedKey $Base64key -ServerSideEncryptionCustomerMethod AES256
} catch [system.exception] {
Write-Host "Error: " $_.Exception.Message
}S3 Server-Side Encryption (SSE) with AWS Keys
This is the most straightforward approach to encrypting your data at rest in S3. With SSE, S3 encrypts your data using AWS keys and processes. You do not need to manage or provide any encryption keys. This encryption method is also available via the AWS console.
Writing an Object (SSE)
As noted earlier, the Write-S3Object cmdlet is used to store an object in S3, encrypting it on disk using AWS encryption and keys.
$initialfile = "YourFile"
$bucket = "YourBucketName"
$objectkey = "YourKeyName"
try {
Write-S3Object -Region us-west-2 -File $initialfile -BucketName $bucket -Key $objectkey -ServerSideEncryption AES256
} catch [system.exception] {
Write-Host "Error: " $_.Exception.Message
}Reading an Object (SSE)
The Read-S3Object cmdlet retrieves an object from S3. If the object is encrypted, a decrypted copy is returned.
$ssefileout = "YourOutputFile"
$bucket = "YourBucketName"
$objectkey = "YourKeyName"
try {
Read-S3Object -Region us-west-2 -BucketName $bucket -Key $objectkey -File $ssefileout
} catch [system.exception] {
Write-Host "Error: " $_.Exception.Message
}Copying an Object (SSE)
The Copy-S3Object cmdlet can be used to create a copy of a server-side encrypted object. When copying, encryption must be explicitly specified; otherwise, the copy will not be encrypted on the server-side. The example below demonstrates how to ensure server-side encryption for the copy.
$bucket = "YourBucketName"
$objectkey = "YourKeyName"
$copyobjectkey = "YourDestinationKeyName"
try {
Copy-S3Object -Region us-west-2 -BucketName $bucket -Key $objectkey -DestinationBucket $bucket -DestinationKey $copyobjectkey -ServerSideEncryption AES256
} catch [system.exception] {
Write-Host "Error: " $_.Exception.Message
}Summary
This article covered the various options available for encrypting data at rest in S3 using the Read-S3Object, Write-S3Object, and Copy-S3Object cmdlets. For further reading on this topic, consider visiting this authoritative source and check out this excellent resource for more insights.
Leave a Reply