AWS Hands-On | S3 Security | S3 Encryption

📌 Notice

This is a hands-on tutorial accompanying the blog post:

“Pass the AWS Certified Solutions Architect Associate Certification SAA-C03-(Episode 12: S3 Security)”

🔹 Focus: Practical implementation of Amazon S3.
🔹 For theoretical concepts and exam-style questions, please refer to the main blog post (link to parent blog).

Here’s a step-by-step guide to practicing encryption in Amazon S3, based on the provided content:

Objective: Understand and configure different server-side encryption options (SSE-S3, SSE-KMS, DSSE-KMS) for S3 buckets and individual objects.

Prerequisites:

✔ An AWS account with access to Amazon S3.
✔ Sample image files (e.g., coffee.jpg, beach.jpg) to upload.

Step 1: Create an S3 Bucket with Default SSE-S3 Encryption

1. Navigate to S3: Go to the Amazon S3 console.
2. Create Bucket: Click “Create bucket”.
3. Configure Bucket Details:

• Bucket name: demo-encryption-mino-v2 (or a unique name of your choice).
• AWS Region: Choose any region.
• Bucket Versioning: Scroll down and “Enable” bucket versioning. (This is important for observing encryption changes as new versions).
• Default encryption: Select “Server-side encryption with Amazon S3 managed keys (SSE-S3)”. Leave “Bucket Key” unchecked (it’s not applicable for SSE-S3).

4. Create Bucket: Click "Create bucket".

Step 2: Upload an Object and Verify Default SSE-S3 Encryption

1. Navigate to the New Bucket: Go to your newly created bucket (demo-encryption-mino-v2).
2. Upload Object: Click “Upload”, then “Add files”, and select coffee.jpg.
3. Complete Upload: Click “Upload”.
4. Verify Encryption:

• Select the coffee.jpg object by clicking on its name.
• Scroll down to the “Server-side encryption settings” section.

Observation: It should clearly state “Server-side encryption with Amazon S3-managed keys (SSE-S3)”.

Step 3: Change an Existing Object’s Encryption to SSE-KMS

1. Select the Object: In your bucket, select the coffee.jpg object by checking its box.
2. Go to “Properties”: Click on the “Properties” tab.
3. Edit Encryption: Scroll down to the “Server-side encryption” section and click “Edit”.
4. Override Bucket Settings: Select “Specify an encryption key”.
5. Choose SSE-KMS: Select “Server-side encryption with AWS Key Management Service (SSE-KMS)”.
6. Select KMS Key:

• Under “AWS KMS key”, choose “Choose from your AWS KMS keys”.
• Select aws/s3 from the dropdown list. (This is the default S3-managed KMS key and will not incur extra costs for this demo).
• Leave “Bucket Key” enabled (this reduces KMS costs by performing fewer API calls).

7. Save Changes: Click “Save changes”.

Observation: Because versioning is enabled, this action creates a new version of coffee.jpg with the updated encryption settings.

8. Verify New Version’s Encryption:

• Go back to the “Objects” tab in your bucket.
• Toggle “Show versions” (if not already enabled).
• Click on the latest version of coffee.jpg (the one with the non-null, most recent version ID).
• Scroll down to “Server-side encryption settings”.

Observation: It should now show “Server-side encryption with AWS KMS keys (SSE-KMS)” and specify the aws/s3 key ARN. The older version will still be encrypted with SSE-S3.

Step 4: Upload a New Object with Specific Encryption Settings (Optional)

1. Upload New Object: In your bucket, click “Upload”.
2. Add File: Click “Add files” and select beach.jpg.
3. Configure Encryption During Upload: Under “Properties” (or “Optional settings” in the upload wizard), find “Server-side encryption”.
4. Override Default: Select “Specify an encryption key”.
5. Choose Encryption: You can now choose:

• SSE-S3
• SSE-KMS (and select a KMS key, e.g., aws/s3)
• DSSE-KMS (a double-layer KMS encryption, also requiring a KMS key)

6. Complete Upload: Click “Upload”.

Observation: The beach.jpg object will be uploaded with the specific encryption you selected for it, overriding the bucket's default if you chose something different.

Step 5: Review Default Bucket Encryption Settings

1. Navigate to Bucket Properties: In your bucket (demo-encryption-mino-v2), go to the "Properties" tab.
2. Edit Default Encryption: Scroll down to “Default encryption” and click “Edit”.
3. Observe Options:

• You can change the bucket’s default encryption to SSE-S3, SSE-KMS, or DSSE-KMS.
• If you choose SSE-KMS or DSSE-KMS, the "Bucket Key" option becomes available. Enabling it reduces KMS costs by performing fewer API calls.
• Note: You cannot set SSE-C (Server-Side Encryption with Customer-Provided Keys) as a bucket default or from the console. It's handled via the AWS CLI or SDK, as you provide the key with each operation. Client-side encryption is also handled entirely by your application before interacting with S3.

4. Cancel Changes: Click “Cancel” as you don’t need to change the default for this demonstration.

Conclusion:

You have successfully practiced S3 encryption by:

• Creating a bucket with default SSE-S3 encryption.
• Verifying that objects uploaded to a bucket without explicit settings inherit the default encryption.
• Changing an existing object’s encryption to SSE-KMS, demonstrating how new versions are created.
• Understanding how to specify encryption for new objects during upload.
• Reviewing the console’s default encryption settings and understanding the limitations regarding SSE-C and client-side encryption.

To stay informed on the latest technical insights and tutorials, connect with me on Medium and LinkedIn. For professional inquiries or technical discussions, please contact me via email. I welcome the opportunity to engage with fellow professionals and address any questions you may have.