Object encryption

Question 1

Can a bucket be encrypted?

Answer 1

No, only objects are encrypted

Question 2

Can you use different encryption methods within the same bucket?

Answer 2

Yes

Question 3

What methods of encryption is S3 capable of supporting?

Answer 3

Client-side encryption and Server-side encryption

Question 4

What type of encryption are SSE and client-side encryption?

Answer 4

They are methods of encryption at rest

Question 5

When are the objects encrypted when using client-side encryption?

Answer 5

Encrypted by the client before they leave.

Question 6

Does AWS see any data when using client-side encryption?

Answer 6

No, AWS only receives cypher data

Question 7

Who has the burden of encryption and decryption when using client-side encryption?

Answer 7

The encryption burden is on the customer and not AWS

Question 8

Does AWS see any data when using server-side encryption?

Answer 8

Yes, the data arrives in plaintext to S3

Question 9

Who has the burden of encryption and decryption when using server-side encryption?

Answer 9

AWS will handle some or all of the processes.

Question 10

What is SSE-C?

Answer 10

Server-side encryption with provided keys

Question 11

Can the client provide keys when using Server-side encryption?

Answer 11

Yes, with SSE-C.

Question 12

Does AWS see the raw data when using SSE-C?

Answer 12

Yes, AWS uses the keys that were provided by the client to encrypt/decrypt the data

Question 13

Who manages encryption and decryption when using SSE-C?

Answer 13

AWS

Question 14

Who is responsible of the management of keys when using SSE-C?

Answer 14

The client

Question 15

Who has the burden of encryption/decryption when using SSE-C?

Answer 15

AWS.

Question 16

What is the main advantage of SSE-C over Client-side encryption?

Answer 16

Offload CPU requirements for encryption/decryption

Question 17

What are the SSE-C Encryption Steps?

Answer 17

1. Provide object + encryption key to S3
2. Object is encrypted by S3 using the provided key.
3. A hash of the key is taken and stored with the object
4. The key is discarded after the hash is taken
5. The encrypted data and the hash are stored

Question 18

What are the SSE-C Decryption Steps?

Answer 18

1. Tell S3 what object to decrypt and provide key
2. If the key is correct (hash comparison), then the object is decrypted
3. The key is discarded and the decrypted object is provided.

Question 19

Name some UCs for SSE-C

Answer 19

1. When management of the keys must be controlled outside of AWS
2. When CPU offload can be useful

Question 20

What is SSE-S3 AES256?

Answer 20

Server-side encryption with Amazon S3 managed keys

Question 21

Who handles encryption and decryption when using SSE-S3?

Answer 21

AWS

Question 22

Who handles key generation and management when using SSE-S3?

Answer 22

AWS

Question 23

Name 3 disadvantages of using SSE-S3?

Answer 23

1. Not good for regulatory environments - where keys and access to keys must be controlled.
2. No way to control key material rotation
3. No role separation - full S3 admin can decrypt any data.

Question 24

Name one advantage of using SSE-S3

Answer 24

Very little overhead.

Question 25

What are the SSE-S3 Encryption Steps?

Answer 25

1. Provide object to S3 2. S3 generates fully managed and rotated **master key** automatically. 3. S3 generates a key specific for each object that is uploaded. 4. The master key is used to encrypt the specific object key, and the unencrypted version of that key is discarded. 5. The encrypted file and encrypted key are stored side by side in S3.

Question 26

What is SSE-KMS?

Answer 26

Server-side encryption with customer master keys stored in KMS

Question 27

Who handles keys and encryption processes when using SSE-KMS?

Answer 27

AWS

Question 28

Who handles the master keys when using SSE-KMS?

Answer 28

KMS

Question 29

How does AWS perform the encryption of objects when using SSE-KMS?

Answer 29

Every time an object is uploaded to a bucket, S3 works with KMS to create an AWS managed CMK and this is the default key that is used in the future. Every time an object is uploaded, S3 uses a dedicated key (DEK) to encrypt it.

Question 30

SSE-KMS Encryption Steps

Answer 30

1. S3 is provided a plaintext version of the data encryption key as well as an encrypted version. 2. The data is encrypted with the plaintext key and the key discarded. 3. The encrypted key is stored alongside the encrypted object.

Question 31

Can you use Customer managed CMKs when using SSE-KMS?

Answer 31

Yes, you can decide to use customer managed CMKs.

Question 32

What are the benefits of using Customer managed CMKs when using SSE-KMS?

Answer 32

Role separation, control of permissions and usage of Key material

Question 33

When using Customer managed CMKs with SSE-KMS, what do you need to access and decrypt an object?

Answer 33

Access to the CMK. No access to KMS key means no access to the object.

Question 34

Can an full S3 admin decrypt an object that was encrypted with SSE-KMS?

Answer 34

Only if he has access to the CMK that was used to encrypt the object.