S3 Security
Newly created bucket is private by default. So objects of buckets can't be accessed outside until you change security settings
S3 Bucket security can be configured with below 2 options
S3 bucket can be configured to log all request made to the bucket. That can be used for audit as and when required.
S3 Encryption
There are 2 types of encryption
Newly created bucket is private by default. So objects of buckets can't be accessed outside until you change security settings
S3 Bucket security can be configured with below 2 options
- Bucket Policies: Bucket policies are applicable to whole bucket
- Access Control List: After creating access control list you can apply it at object level in bucket.
You can provide below access to your account, others accounts and Everyone as well.
Read, Write, Read Permissions, Write Permissions
S3 Encryption
There are 2 types of encryption
- In transit: When you access your bucket and send information to/from using SSL/TLS (https)
- At Rest:
- Server Side Encryption:
- S3 Managed Keys (SSE-S3): Objects are encrypted with a unique key, and Amazon encrypt the key it self by a master key and regularly rotate the master key. Unique key is a AES-256 bit encryption key, Amazon handles it by its own.
- AWS Key Management Service (SSE-KMS): Its similar to S3 managed keys but it comes with some additional benefits and additional charges and need additional permissions to use these keys.
Additional benefit to this key is that, it provide audit trail on "who and when your keys are getting used".
You can create your customize keys for your region or S3. - Server side encryption with customer provided keys (SSE-C):
- We managed keys
- Amazon manages encryption and decryption
- Client Side Encryption: You encrypt the data at client side before uploading to S3
No comments:
Post a Comment