All you need to know about encrypting S3 buckets

Andreas Wittig – 03 Mar 2021

Dance like nobody’s watching, encrypt like everyone is. Are you encrypting your data stored on Amazon Simple Storage Service (S3)? No, this video explains why and how to do so. Yes, this video helps you to avoid common pitfalls when doing so.

All you need to know about encrypting S3 buckets


Looking for a new challenge?

  • tecRacer

    Cloud Consultant • AWS Migrations

    tecRacer • Premier AWS Consulting Partner • Germany, Austria, Portugal, and Switzerland
    Assessment Transformation Change Management
  • DEMICON

    Senior Lead Full Stack Developer

    DEMICON • AWS Advanced Consulting Partner • Remote
    AWS JavaScript/TypeScript Angular React

After watching the video, you will be able to answer the following questions:

  1. How to enable default encryption for S3 buckets?
  2. Which encryption options fit my needs? SSE-S3, SSE-KMS with AWS managed CMK, or SSE-KMS with Customer managed CMK.
  3. How to make sure no one can lever out the default encryption?
  4. How does turning on encryption for S3 lead to extensive costs, and what can I do about it?

The following snippet contains the CloudFormation template used in the video to create a bucket, a bucket policy, as well as key.

---
AWSTemplateFormatVersion: '2010-09-09'
Resources:
Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: 'cloudonaut-sse-002'
BucketEncryption:
ServerSideEncryptionConfiguration:
- BucketKeyEnabled: true
ServerSideEncryptionByDefault:
SSEAlgorithm: 'aws:kms'
KMSMasterKeyID: !GetAtt 'Key.Arn'
BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref Bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Deny
Principal: '*'
Action: s3:PutObject
Resource: !Sub 'arn:${AWS::Partition}:s3:::${Bucket}/*'
Condition:
StringNotEquals:
s3:x-amz-server-side-encryption: ''
s3:x-amz-server-side-encryption-aws-kms-key-id: !GetAtt 'Key.Arn'
Key:
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Type: 'AWS::KMS::Key'
Properties:
EnableKeyRotation: true
KeyPolicy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'kms:*'
Resource: '*'

Become a cloudonaut supporter

Andreas Wittig

Andreas Wittig ( Email, Twitter, or LinkedIn )

We launched the cloudonaut blog in 2015. Since then, we have published 360 articles, 50 podcast episodes, and 48 videos. It's all free and means a lot of work in our spare time. We enjoy sharing our AWS knowledge with you.

Please support us

Have you learned something new by reading, listening, or watching our content? With your help, we can spend enough time to keep publishing great content in the future. Learn more

$
Amount must be a multriply of 5. E.g, 5, 10, 15.

Thanks to Alan Leech, Alex DeBrie, ANTHONY RAITI, Christopher Hipwell, Jaap-Jan Frans, Jason Yorty, Jeff Finley, Jens Gehring, jhoadley, Johannes Grumböck, Johannes Konings, John Culkin, Jonas Mellquist, Juraj Martinka, Kamil Oboril, Ken Snyder, Markus Ellers, Ross Mohan, Ross Mohan, sam onaga, Satyendra Sharma, Shawn Tolidano, Simon Devlin, Thorsten Hoeger, Todd Valentine, Victor Grenu, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt.