This week Amazon announced that S3 now supports server side encryption. You can encrypt S3 items through either the API or web management console, or you can require encryption for S3 buckets. A few details:
- They manage the keys. This is full transparent AES-256 encryption, and you only manage the access controls.
- Encryption is at the object level, not the bucket level. You can set a policy to require any uploads into a bucket to be encrypted.
- You can manage it via API or the AWS Management Console.
It’s interesting, but from a security perspective only protects you from one thing – hard drives lost or stolen from Amazon.
Going back to my Three Laws of Data Encryption, you would use this if you are worried about lost/stolen drives or if someone says you have to encrypt. It doesn’t protect from hacking attacks or anything like that. Client-side encryption is more important for improving security.
This isn’t really much of a security play, but it’s a big assurance/compliance play. Since I like bullet lists and clear advice, you should use S3 server side encryption:
- If you are required to encrypt data at rest, and said requirement does not also require you to segregate keys from Amazon.
- You want to market that you are encrypting the data, but still don’t have a requirement to lock out Amazon.
That’s about it. If you are worried about drive loss/theft it’s probably due to a compliance or disclosure requirement, and so I recommend client side encryption instead, for its greater security benefit.
This is a checkbox. Sometimes you need them, but if security is that important you have other options which should be higher priority.