SSE - Server Side Encryption
-
Can use client-side
encryption – send in encrypted already- SSE - encryption done by S3 right before storing; unencrypted for download
- Only one encryption type per object at the time:
SSE-S3
S3-managed key
§ Unique key per object
§ Keys are encrypted using Master Key (rotated regularly)
§ AES-256
§ No extra charge
Encryption process:
§ KMS generates data key – encrypts it using master key (yours@KMS or KMS default one)
§ KMS provides encrypted key and plaintext key to S3
§ S2 encrypts data w plaintext key, stores encrypted object, deletes plaintext key
Decryption process:
§ S3 sends encrypted key to KMS
§ KMS decrypts and returns the key to S3
§ S3 decrypts the data and returns to user
S3-managed key
§ Unique key per object
§ Keys are encrypted using Master Key (rotated regularly)
§ AES-256
§ No extra charge
Encryption process:
§ KMS generates data key – encrypts it using master key (yours@KMS or KMS default one)
§ KMS provides encrypted key and plaintext key to S3
§ S2 encrypts data w plaintext key, stores encrypted object, deletes plaintext key
Decryption process:
§ S3 sends encrypted key to KMS
§ KMS decrypts and returns the key to S3
§ S3 decrypts the data and returns to user
- AWS KMS uses CMK to encrypt objects
- Can use the default CMK or create one
§ Creating your own CMK lets you manage it - rotate, disable, define access
§ Can audit keys used
- Separate envelope key used to encrypt object encryption keys (CloudTrail)
Encryption process:
§ Upload object, send request to KMS to create object key
§ Upon the first encryption a default CMK is created
- Client's key imported into S3 service
- S3 uses customer's key to encrypt
- AWS does not store client provided encryption keys - deletes
- Lose key = lose data
-
No extra charge
Static website hosting
- https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html
Static website hosting
- https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html
- AWS Website Endpoints in
Regions
- S3-website-<region>.amazonaws.com
- No HTTPS, only HTTP
- HTTP HEAD or GET for objects
- If no object requested, returns your default HTML
- S3-website-<region>.amazonaws.com
- No HTTPS, only HTTP
- HTTP HEAD or GET for objects
- If no object requested, returns your default HTML
S3 API
- API Endpoints in Regions
- An Amazon S3 website endpoint is optimized for access from a web browser. The following table summarizes the key differences between a REST API endpoint and a website endpoint
- Allows for downloading or uploading an
object w no AWS credentials. SDK Java / .Net, Aws Explorer for Visual Studio
- Can configure bucket to
redirect to a URL. Request for an object – redirect to another obj / URL
No comments:
Post a Comment