What are security considerations for SSE-KMS bucket keys versus object keys? I kinda got the impression that in the case of "bucket key" the original requestor entity doesn't have to be granted specifically to use a specific KMS key.
bucket keys are much cheaper in terms of KMS API calls. The only change is that all objects are encrypted with the same key. Which makes sense anyways.
I have couple of s3 buckets where the default encryption is turned on by default (SS3-S3) but for some reason some objects are showing as unencrypted. I wonder if we can encrypt after an object has been uploaded , if I go to the object and try to edit the server-side encryption it says I don't have permission.
The default encryption does only apply when creating or updating/replacing an object. The setting does not affect objects, that have been created before.
Hi, thanks for the content. if I may ask a question, how can i write the policies for SSE-S3 encryptions? I tried some, but when I set nothing in the header its was rejecting all my requests from a Java Client. Thanks
I'd say, replacing s3:x-amz-server-side-encryption-aws-kms-key-id: !GetAtt 'Key.Arn' from our example with "s3:x-amz-server-side-encryption": "AES256" should do the trick.
What do you mean by "verify that the objects are actually encrypted"? As the de/encryption happens on-the-fly you have to trust AWS and their security/quality certifications, that the encryption is working. All you can do is the check the details of an object to check which encryption was applied.
@@cloudonaut whenever I access the encrypted files in console or preview it, I get it in its original form. Let's says there's a hack (or there's a raid by police) that my system faced and by mistakenly I allow read access. How can I see if the encryption is working. When I encryption a text file locally it automatically turns into something random.
![AWS S3 Encryption | Server Side Encryption(SSE) and Client Side Encryption(CSE) [S3 p3]](http://i.ytimg.com/vi/9vlUusWi_HY/mqdefault.jpg)
![AWS S3 Encryption | Server Side Encryption(SSE) and Client Side Encryption(CSE) [S3 p3]](/img/tr.png)
Thanks alot ,please create a video on these gateways like virtual private gateway ,transit gateway , border gateway ,customer gateway , interface endpoint ,gateway endpoint , vpc endpoints ,these concepts are really confusing
Thanks a lot for your feedback. Will add your content wishes into our backlog.
Is there an updated version of this content. Currently there isn’t an option to enable and disable encryption. SSE-S3 is default
Correct, S3 buckets are encrypted by default those days. Up until know, we haven't recorded an updated video yet.
Thank you!
Thanks
You are welcome!
What are security considerations for SSE-KMS bucket keys versus object keys? I kinda got the impression that in the case of "bucket key" the original requestor entity doesn't have to be granted specifically to use a specific KMS key.
bucket keys are much cheaper in terms of KMS API calls. The only change is that all objects are encrypted with the same key. Which makes sense anyways.
I have couple of s3 buckets where the default encryption is turned on by default (SS3-S3) but for some reason some objects are showing as unencrypted.
I wonder if we can encrypt after an object has been uploaded , if I go to the object and try to edit the server-side encryption it says I don't have permission.
The default encryption does only apply when creating or updating/replacing an object. The setting does not affect objects, that have been created before.
Hi, thanks for the content. if I may ask a question, how can i write the policies for SSE-S3 encryptions? I tried some, but when I set nothing in the header its was rejecting all my requests from a Java Client. Thanks
I'd say, replacing s3:x-amz-server-side-encryption-aws-kms-key-id: !GetAtt 'Key.Arn' from our example with "s3:x-amz-server-side-encryption": "AES256" should do the trick.
Hi Thanks a lot for this video.
Could you please make a video how to encrypt and decrypt the files using AWS KMS
Good point, will add that to our TODO list. :)
What you think would be reasons to NOT to enable bucket key? But choosing more expensive key instead?
I don't see a good reason. All other services use similar optimizations to reduce kms requests.
How can I verify that the objects are actually encrypted.
What do you mean by "verify that the objects are actually encrypted"? As the de/encryption happens on-the-fly you have to trust AWS and their security/quality certifications, that the encryption is working. All you can do is the check the details of an object to check which encryption was applied.
@@cloudonaut whenever I access the encrypted files in console or preview it, I get it in its original form. Let's says there's a hack (or there's a raid by police) that my system faced and by mistakenly I allow read access. How can I see if the encryption is working. When I encryption a text file locally it automatically turns into something random.
Sir, your face is obscuring some of your code!
Thanks for your feedback!
Security by obfuscation