Open in app

Sign in

Write

Sign in

Creating a Digital Vault Using S3 in AWS

Pramod Tolani
Simform Engineering
Published in
7 min readDec 12, 2023

Fortifying data protection with AWS S3 SSE-C and encryption essentials

Keeping your data secure is crucial in this digital world.

In this blog, we’ll learn how to secure data with AWS S3 client-side encryption by breaking down the complexities of data security and creating a digital vault in AWS S3.

Before that, let’s understand the basics!

Understanding Data Security

Consider document security as placing a robust lock on that secure cabinet. It’s all about ensuring that only authorized individuals can access your crucial information.

At times, your secure cabinet is stationary (at rest), and sometimes it’s in motion (in transit). We’ll examine how to maintain its security in both scenarios.

Data at Rest

When your digital documents are at rest, it indicates they are stored securely, whether in a physical filing cabinet or a digital storage system like your AWS S3 bucket acting as a virtual secure repository.

Securing data at rest involves implementing measures to ensure that even during periods of inactivity, your documents remain confidential and protected against unauthorized access.

Data in Transit

Now, when your digital documents are in transit, it means they are on the move — perhaps being transferred between servers or accessed by users.

Securing data in transit involves safeguarding the information as it travels across networks, ensuring that it remains confidential and protected from interception.

AWS KMS Encryption Keys (AWS KMS)

AWS KMS is a managed service that helps you create and control encryption keys for securing your data on AWS. It integrates with various AWS services, ensuring a secure foundation for data encryption. Learn more.

AWS KMS Console

AWS CloudHSM

AWS CloudHSM is a fully managed service that provides dedicated hardware for secure key storage and cryptographic operations in the AWS Cloud. It offers tamper-evident hardware security modules (HSMs) for generating and managing encryption keys while guaranteeing a high level of security and compliance with industry standards. Learn more.

Data Encryption Techniques

There are three distinct encryption techniques, each playing a crucial role in safeguarding your data during storage and transmission.

1. Server-Side Encryption with AWS-Managed Encryption Keys (SSE-S3)

Server-side encryption (SSE) with AWS-Managed encryption keys (SSE-S3) adds an extra layer of security to your digital assets stored in AWS S3.

Enabling SSE-S3 ensures that your digital assets are automatically encrypted with AWS-Managed encryption keys upon storage, adding a robust security layer to protect your sensitive information.

Here are the steps to enable SSE-S3:

  • Open the AWS S3 console and select the bucket where your digital assets are stored.
  • Select your bucket and navigate to the Properties tab.
AWS S3 Bucket Properties Tab
  • Scroll down to the Default encryption section and enable server-side encryption. Choose SSE-S3 as the encryption type.
AWS S3 Bucket Properties Tab — Encryption Settings
  • Confirm your selection and save the changes.
AWS S3 Bucket Encryption Settings
  • Confirm that server-side encryption is enabled by checking the properties of individual objects in your bucket. Encrypted objects will display the encryption type as SSE-S3.
AWS S3 Bucket Object Encryption Details

Starting January 5, 2023, all new object uploads to Amazon S3 buckets are encrypted by default with this encryption technique.

2. Server-Side Encryption with AWS Key Management Service (SSE-KMS)

SSE-KMS provides an additional layer of security by leveraging AWS Key Management Service, offering more granular control over access and encryption policies for your digital assets.

Here’s a step-by-step guide on how to enable SSE-KMS:

  • Log in to the AWS S3 console and select the specific bucket containing your digital assets.
  • Within the bucket overview, head to the Properties tab.
AWS S3 Bucket Properties Tab
  • Scroll down to the Default encryption section, activate server-side encryption, and opt for AWS Key Management Service (SSE-KMS) as the encryption type.
AWS S3 Bucket Properties Tab — Encryption Settings
  • Select a specific AWS KMS key that aligns with your security requirements. Either you can create a new KMS key or choose the pre-exists AWS S3 key.
AWS S3 Bucket Encryption Configuration
  • Confirm your choices and save the configuration.
  • Confirm the successful encryption by inspecting individual objects in your bucket. Encrypted objects will reflect AWS Key Management Service (SSE-KMS) as the encryption type.
AWS S3 Bucket — Object Encryption Configuration

3. Creating our Digital Vault with Client-Side Encryption

Enabling SSE-C empowers you with the autonomy to manage and control the encryption keys, offering an added layer of security to your digital assets stored in AWS S3.

Here’s a step-by-step guide on how to enable SSE-C:

  • Start by configuring your client application to perform encryption locally before sending data to AWS S3.
  • Generate your encryption keys locally using a secure key management mechanism. This ensures that you have full control over the encryption process.
const crypto = require('crypto');

// Generate a 256-bit symmetric key
const key = crypto.randomBytes(32).toString('hex');
  • When uploading data to AWS S3, encrypt it using your client-provided keys. Ensure that each object is individually encrypted before transmission.
const AWS = require('aws-sdk'); 

const s3 = new AWS.S3(); 

const params = { 

  Bucket: 'my-bucket', 

  Key: 'my-file.txt', 

  Body: fs.readFileSync('my-file.txt'), 

  SSECustomerKey: { 

    KeyId: key, 

    Algorithm: 'AES256', 

  }, 

}; 

  

s3.putObject(params, (err, data) => { 

  if (err) { 

    console.log(err); 

    return; 

  } 

  console.log('File uploaded successfully!'); 

});
  • Keep a secure record of the client-provided keys used for encryption. Losing these keys may result in permanent data loss. You can either store these keys in the DB with the client data or anywhere else.
  • When retrieving data from AWS S3, ensure your client application is equipped to decrypt the data using the client-provided keys.
const s3Object = new AWS.S3({ 

  params: { Bucket: "my-bucket" }, 

  region: "s3-region", 

}); 

  

let fileData = await s3Object 

  .getObject({ 

    Key: "my-file.txt", 

    SSECustomerAlgorithm: "AES256", 

    SSECustomerKey: key, 

    SSECustomerKeyMD5: md5(key), 

  }) 
  .promise();

In this section, we’ve navigated the process of encrypting data on the client side before uploading it to AWS S3, allowing users to maintain ownership and management of encryption keys. Implementing SSE-C ensures confidentiality and integrity, providing peace of mind for secure data storage and transfer in the AWS environment.

AWS Shared Responsibility Between Customer and AWS

AWS Responsibilities

  • Manages the security of the cloud infrastructure, including physical data centers, networking, and the software stack supporting AWS services like S3.

Customer Responsibilities

  • Configures access controls to determine who can access data stored in AWS S3.
  • Implements encryption for data at rest and in transit based on specific security and compliance requirements.
  • Manages user permissions using AWS Identity and Access Management (IAM).
  • Classifies data and sets appropriate access controls, ensuring the protection of sensitive information.
  • Monitors the AWS S3 environment, detects suspicious activities, and conducts compliance audits.

The collaborative effort between AWS and Customers, outlined in the shared responsibility model, ensures a comprehensive approach to securing data within the AWS S3 ecosystem.

AWS Shared Responsibility Diagram Between AWS and Customer

Bonus: Automating Cleanup with AWS S3 Lifecycle Policy

Learn how to set up a policy to remove objects from the temp folder after a designated period.

  • Log in to your AWS S3 console and navigate to the specific bucket containing the temp folder.
  • Scroll down and find the Lifecycle configuration card. Click on the Add lifecycle rule.
AWS S3 Bucket Management Tab
  • Give the rule a descriptive name, such as Remove Temp Objects.
AWS S3 Bucket - Create Lifecycle Management Rule Screen
  • Specify the prefix for the temp folder to narrow down the rule’s scope. This ensures that only objects within the temp folder are affected.
  • Define actions for the rule. Configure an expiration action to permanently remove objects after a specific duration. For instance, you might set it to expire after 30 days.
AWS S3 Bucket — Create Lifecycle Management Rule Screen
  • Save the configuration, review the rule, and confirm. Once activated, the lifecycle policy will automatically remove objects from the temp folder based on the defined criteria.
AWS S3 Bucket — Create Lifecycle Management Rule List Screen

Implementing this lifecycle policy enhances your AWS S3 efficiency, ensuring timely cleanup of temporary objects and optimizing storage management.

Conclusion

To keep your data safe, managing keys and understanding your role in AWS’s security model is crucial.

Regularly update your keys, control who accesses what, and keep an eye on your AWS S3 space. Encryption, whether your data is chilling or on the move, helps maintain protection standards.

Most importantly, staying on top of cloud security is paramount. Following good practices not only keeps your data private but also makes AWS S3 a secure place.

Keep learning, stay watchful, and let security guide your way.

For more updates on the latest development trends, follow the Simform Engineering blog.

Follow Us: Twitter | LinkedIn

Aws S3
Aws S3 Security
Digital Vault
AWS
Encryption

--

--

Pramod Tolani
Simform Engineering

Written by Pramod Tolani

12 Followers
Writer for

Senior Software Engineer @ Simform

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams