- Amazon S3 encrypts new data using the AES-256 encryption option by default now. If you’d like to use a different encryption method, you can specify one in the settings for your account.
- The AES-256 encryption standard is practically unbreakable by brute force, meaning it would take a lot of time and effort to try and crack the encryption code.
- There is an option to encrypt already existing data manually by following the guide at the end of the article.
Amazon Simple Storage Service (Amazon S3) now encrypts all new data by default using AES-256 if you don’t specify a different encryption option. The recent change will automatically apply new security best practices to your buckets, without any impact on performance or any action required on your part. Existing buckets that are using S3 default encryption will not change. The new update helps meet encryption compliance requirements without additional tools or client configuration changes.
Make sure your objects are encrypted
To see if the change to your buckets has taken effect, you can check if CloudTrail is logging data events. It is not enabled by default, but you can enable it if you wish.
Once enabled, search for PutObject API for file uploads or InitiateMultipartUpload for multipart uploads.
When Amazon S3 automatically encrypts an object using the default encryption settings, the log includes the following field as the name-value pair: “SSEApplied”:”Default_SSE_S3″.
Here is an example of a CloudTrail log (with data event logging enabled) when a file is uploaded to a bucket using the AWS CLI command aws s3 cp backup.sh s3://private-sst.
You have the option of encrypting your objects using either the SSE-C or SSE-KMS, rather than SSE-S3. SSE-C allows Amazon S3 to encrypt and decrypt your objects while you retain control of the keys used for encryption and decryption. You don’t need to implement or use a client-side library to do this, but you do need to manage the keys you send to Amazon S3.
The AES-256 encryption standard has a key length of 256 bits, which means that it can encrypt data using the largest possible bits. This standard is practically unbreakable by brute force, meaning that it would take a lot of time and effort to try and crack the encryption code.
Jeff Barr, Chief Evangelist for AWS (Amazon Web Services) says:
« Amazon S3 server-side encryption handles all encryption, decryption, and key management in a totally transparent fashion. When you PUT an object, we generate a unique key, encrypt your data with the key, and then encrypt the key with a [root] key. »
If you would like to encrypt already existing objects, click here.
Amazon seems to be taking security efforts seriously as it is one of the largest companies in the world. Any leaks in its system could affect the workflow of thousands. Amazon also released free cybersecurity awareness training in late 2021.