cloudonaut
Home Blog Podcast YouTube Games Books Logout
Subscribe Logout

All you need to know about encrypting S3 buckets

Andreas Wittig – 03 Mar 2021

Dance like nobody’s watching, encrypt like everyone is. Are you encrypting your data stored on Amazon Simple Storage Service (S3)? No, this video explains why and how to do so. Yes, this video helps you to avoid common pitfalls when doing so.

All you need to know about encrypting S3 buckets

After watching the video, you will be able to answer the following questions:

  1. How to enable default encryption for S3 buckets?
  2. Which encryption options fit my needs? SSE-S3, SSE-KMS with AWS managed CMK, or SSE-KMS with Customer managed CMK.
  3. How to make sure no one can lever out the default encryption?
  4. How does turning on encryption for S3 lead to extensive costs, and what can I do about it?

The following snippet contains the CloudFormation template used in the video to create a bucket, a bucket policy, as well as key.

---
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: 'cloudonaut-sse-002'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
        - BucketKeyEnabled: true
          ServerSideEncryptionByDefault:
            SSEAlgorithm: 'aws:kms'
            KMSMasterKeyID: !GetAtt 'Key.Arn'
  BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties: 
      Bucket: !Ref Bucket
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Deny
          Principal: '*'
          Action: s3:PutObject
          Resource: !Sub 'arn:${AWS::Partition}:s3:::${Bucket}/*'
          Condition:
            StringNotEquals:
              s3:x-amz-server-side-encryption: ''
              s3:x-amz-server-side-encryption-aws-kms-key-id: !GetAtt 'Key.Arn'
  Key:
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Type: 'AWS::KMS::Key'
    Properties:
      EnableKeyRotation: true
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
          Action: 'kms:*'
          Resource: '*'

Andreas Wittig

Andreas Wittig

I’ve been building on AWS since 2012 together with my brother Michael. We are sharing our insights into all things AWS on cloudonaut and have written the book AWS in Action. Besides that, we’re currently working on bucketAV,HyperEnv for GitHub Actions, and marbot.

Here are the contact options for feedback and questions.

Further reading