chanciturnervgt2

S3 Server-Side Encryption Using Windows PowerShell

by

VGT2 Las Vegas
in

S3 Server-Side Encryption Using Windows PowerShellMore Info

In this guest post, AWS Solutions Architect Alex Johnson discusses the implementation of Amazon S3’s server-side encryption with customer-provided keys. The latest release of AWS Tools for Windows PowerShell version 2.1.4 now supports an additional server-side encryption method for Amazon S3, giving users three primary options for securing data at rest:

  1. Encrypt sensitive data on your end before uploading it to AWS using client-side encryption.
  2. Utilize S3’s built-in server-side encryption (SSE), where AWS handles the encryption and key management.
  3. Leverage server-side encryption with your own customer-provided keys (SSE-C), combining ease of use with the control over your encryption keys.

This article outlines how to employ AWS PowerShell tools for securing your S3 data using both server-side encryption methods (SSE-C and SSE).

Server-Side Encryption with Customer-Provided Keys (SSE-C)

With SSE-C, S3 encrypts your data using keys that you manage. This allows you to maintain control over your encryption keys without the complexity of writing or executing your own encryption code. However, this encryption method is not accessible via the AWS console.

Protecting Your Keys

S3 discards your key immediately after encrypting or decrypting your object. If you lose your key, you will lose access to your data, so it’s crucial to store your keys securely. If you use multiple keys, you will be responsible for tracking which key corresponds to each object. For more sophisticated key management, consider implementing an envelope encryption process as discussed in another blog post here.

Creating Your Key

The following commands utilize the .NET AES class in System.Security.Cryptography to generate a base64 encoded key.

$Aes = New-Object System.Security.Cryptography.AesManaged
$Aes.KeySize = 256
$Aes::GenerateKey
$Base64key = [System.Convert]::ToBase64String($Aes.Key)

Writing an Object (SSE-C)

Use the Write-S3Object cmdlet to store an object in S3, encrypting it at rest with a client-provided key.

$initialfile  = "YourFile"
$bucket       = "YourBucketName"
$objectkey    = "YourKeyName"

try 
{
    Write-S3Object -Region us-west-2 -File $initialfile -BucketName $bucket -Key $objectkey -ServerSideEncryptionCustomerProvidedKey $Base64key -ServerSideEncryptionCustomerMethod AES256
}
catch [system.exception] 
{
    Write-Host "Error: " $_.Exception.Message
}

Reading an Object (SSE-C)

The Read-S3Object cmdlet retrieves an encrypted object using the same client-provided key used for encryption.

$ssecfileout  = "YourOutputFile" 
$bucket       = "YourBucketName"
$objectkey    = "YourKeyName"

try 
{
    Read-S3Object -Region us-west-2 -BucketName $bucket -Key $objectkey -File $ssecfileout -ServerSideEncryptionCustomerProvidedKey $Base64key -ServerSideEncryptionCustomerMethod AES256
}
catch [system.exception]
{
    Write-Host "Error: " $_.Exception.Message
}

Copying an Object (SSE-C)

To copy an encrypted object, the Copy-S3Object cmdlet requires two keys: one for decrypting the original object and another for encrypting the new copy.

$bucket         = "YourBucketName"
$objectkey      = "YourKeyName" 
$copyobjectkey  = "YourDestinationKeyName"

try 
{
    Copy-S3Object -Region us-west-2 -BucketName $bucket -Key $objectkey -DestinationBucket $bucket -DestinationKey $copyobjectkey -CopySourceServerSideEncryptionCustomerMethod AES256 -CopySourceServerSideEncryptionCustomerProvidedKey $Base64key -ServerSideEncryptionCustomerProvidedKey $Base64key -ServerSideEncryptionCustomerMethod AES256
}
catch [system.exception] 
{
    Write-Host "Error: " $_.Exception.Message
}

S3 Server-Side Encryption (SSE) with AWS Keys

SSE is the simplest encryption method, where S3 handles encryption using AWS keys, meaning you don’t need to manage any keys. This method is also available through the AWS console.

Writing an Object (SSE)

The Write-S3Object cmdlet can also be used to encrypt an object using AWS-managed keys.

$initialfile  = "YourFile"
$bucket       = "YourBucketName"
$objectkey    = "YourKeyName"

try 
{
    Write-S3Object -Region us-west-2 -File $initialfile -BucketName $bucket -Key $objectkey -ServerSideEncryption AES256
}
catch [system.exception] 
{
    Write-Host "Error: " $_.Exception.Message
}

Reading an Object (SSE)

To retrieve an object, the Read-S3Object cmdlet automatically returns a decrypted version if the object is encrypted.

$ssefileout   = "YourOutputFile" 
$bucket       = "YourBucketName"
$objectkey    = "YourKeyName"

try 
{
    Read-S3Object -Region us-west-2 -BucketName $bucket -Key $objectkey -File $ssefileout  
}
catch [system.exception]
{
    Write-Host "Error: " $_.Exception.Message
}

Copying an Object (SSE)

When copying a server-side encrypted object, ensure to specify server-side encryption explicitly.

$bucket         = "YourBucketName"
$objectkey      = "YourKeyName" 
$copyobjectkey  = "YourDestinationKeyName"

try 
{
    Copy-S3Object -Region us-west-2 -BucketName $bucket -Key $objectkey -DestinationBucket $bucket -DestinationKey $copyobjectkey -ServerSideEncryption AES256
}
catch [system.exception] 
{
    Write-Host "Error: " $_.Exception.Message
}

Conclusion

This article outlines the various options available for encrypting data at rest in S3 using the Read-S3Object, Write-S3Object, and Copy-S3Object cmdlets. For further insights, refer to this excellent resource and check out this authoritative piece on the topic.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *