Amazon S3 Bucket Encryptions - KMS vs AES256 - amazon-web-services

When I SSE-S3 encrypt the bucket (objects) with AES256 and make it public. The contents of the bucket are visible. However, this is not the case with AWS KMS which throws the following error:
Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
How is the end-user able to view the object in AES256 encrypted?
Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) – Each
object is encrypted with a unique key employing strong multi-factor
encryption. As an additional safeguard, it encrypts the key itself
with a master key that it regularly rotates. Amazon S3 server-side
encryption uses one of the strongest block ciphers available, 256-bit
Advanced Encryption Standard (AES-256), to encrypt your data.
According to this, my understanding is, if an object is encrypted it requires the decryption keys or in AWS world access to the key that is decrypting it. Please explain how AES256 is different from KMS. (Other than key policies provided by AWS on KMS)

Server-Side Encryption in S3 is always AES256, whether you are using SSE-S3 or SSE-KMS.
In both cases, S3 uses a key to transparently encrypt the object for storage and decrypt the object on request. The user accessing the object does not see the encrypted object in either case.
With SSE-S3, S3 owns and controls the keys, so permission to upload or download includes implicit permission for S3 to access the keys that it needs in order to access the object.
The level of encryption is the same whether you use SSE-S3 or SSE-KMS, but SSE-KMS imposes more stringent security constraints on accessing the objects, including mandatory use of HTTPS and Signature Version 4.

Related

AWS S3: is SSE-S3 envelope encryption?

Here is the encryption flow of Server-side encryption with S3 managed keys (SSE-S3)
(this picture is from Oreilly)
The client selects their object(s) to upload to S3 and indicates the encryption mechanism of SSE-S3 during this process.
S3 then takes control of the object and encrypts it with a plaintext data key that's generated by S3. The result is an encrypted version of the object, which is then stored within your chosen S3 bucket.
The plaintext data key that used to encrypt the object is then encrypted with an S3 master key, resulting in an encrypted version of the key. This now encrypted key is also stored on S3 and has an association to the encrypted data object. Finally, the plaintext data key is removed from memory in S3.
As you can see, SSE-S3 use a unique data key to encrypt the object, rather than the master key.
I heard a lot that SSE-KMS is envelope encryption, my question is:
Is SSE-S3 envelop encryption too?
Reference
Stack Overflow: Does AWS KMS use envelope encryption?
AWS KMS Envelope Encryption
AWS Encryption-At-Rest(server-side encryption) uses Envelope Encryption irrespective of what key is used. Not just for S3, for every service at AWS. Here is a nice blog about it.
Only difference is who manages data key and encryption key.
SSE-S3 Both keys are managed by AWS
SSE-KMS We manage CMK, where as AWS manages data key. Gives us more control on rotation, access, etc.
SSE-C We manage both encryption key and data key(we can choose to not use data key but use same key), we provide data key and algorithm, AWS encrypts for us and we need to keep track of which key is used for which object.

Does enabling default encryption on the existing s3 buckets requires any IAM change for the buckets users?

I want to enable default encryption for the existing buckets (Amazon S3-managed encryption keys (SSE-S3)). The future objects will be encrypted but to encrypt the existing objects either I need to copy them or re-upload them.
I am wondering as I am using SSE-S3 for default encryption on the buckets, do I need to make any IAM changes to allow bucket users for accessing both the existing objects and future objects? Or enabling default encryption (SSE-S3) on buckets does not require any IAM changes as the encryption applied before storing data at rest?
Thank you for your help.
If you are using SSE-S3 (Amazon S3-managed encryption keys) then you don't have to do anything. You may just enforce this encryption through bucket policy, as a default SSE-S3 bucket encryption can be overwritten by your users on per-object basis.
But if you were to choose SSE-KMS as default with your own CMK (not AWS one), then your users/inctances/lambdas would need to have permissions to access the CMK as well.

Why doesn't AWS KMS encrypt/decrypt need data key?

I am reading AWS encrypt cli document from https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html and https://docs.aws.amazon.com/cli/latest/reference/kms/decrypt.html. I found that I am able to encrypt/decrypt without creating a data key. When I read https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html, it says that I need to use KMS CMK to generate a data key which is used to encrypt my data.
So I am confused about whether I need a data key at all?
CMK is designed to encrypt/decrypt the data keys. Therefore, there is a limit of 4 KB on the amount of plaintext that can be encrypted in a direct call to the encrypt function. You can easily test this by passing in message larger than 4 KB.
These operations are designed to encrypt and decrypt data keys. They use an AWS KMS customer master key (CMK) in the encryption operations and they cannot accept more than 4 KB (4096 bytes) of data. Although you might use them to encrypt small amounts of data, such as a password or RSA key, they are not designed to encrypt application data.
You are likely using a default CMK that was created by another AWS service that uses KMS encryption.
Of course all encryption and decryption operations require a key. If you did not explicitly create one for your application, then you are using the current default key.
Ensure that KMS Customer Master Keys (CMKs) are used by your AWS services and resources instead of default KMS keys, in order to have full control over data encryption/decryption process and meet compliance requirements. A KMS default master key is used by an AWS service such as RDS, EBS, Lambda, Elastic Transcoder, Redshift, SES, SQS, CloudWatch, EFS, S3 or Workspaces when no other key is defined to encrypt a resource for that service. The default key cannot be modified to ensure its availability, durability and security. On the other side, a KMS Customer Master Key (CMK) provides the ability to create, rotate, disable, enable and audit the encryption key used to protect the data.
See https://www.cloudconformity.com/knowledge-base/aws/KMS/default-key-usage.html

Get object from encrypted bucket using boto2?

Is it possible to get files from encrypted S3 buckets using boto 2? I am working with a project that uses S3 in several places and has to read/write to an encrypted S3 bucket. I would like to make as small a change as possible, for the time being, to support encryption.
Encryption actually works at the object level, rather than the bucket.
There are several ways to use encryption. If it is Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3), then as long as your app has permission to access the object then it will be automatically decrypted. (The app won't even notice that it was encrypted!)
If it is Protecting Data Using Server-Side Encryption with AWS KMS–Managed Keys (SSE-KMS), the app will also need adequate permissions to use the key in KMS. The object will be automatically decrypted, but it needs permissions to use the key.
If the app is Protecting Data Using Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C), then the app must provide the encryption key when it tries to access the object.
And finally, if it is Protecting Data Using Client-Side Encryption, then the app is totally responsible for encryption/decryption.
It is most likely that your data is using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3). If so, then your app doesn't have to do anything — it will all be handled automagically by Amazon S3.

AWS S3 server side encryption using CLI

I'm trying to use server side encryption having AWS KMS setup to upload objects to S3.
The documentation says that the uploaded objects should be encrypted;
Server-side encryption is about data encryption at rest—that is,
Amazon S3 encrypts your data at the object level as it writes it to
disks in its data centers and decrypts it for you when you access it.
I've setup KMS master key and trying to use CLI to upload an object in the following way
aws s3api put-object --bucket test --key keys/test.txt --server-side-encryption aws:kms --ssekms-key-id <my_master_Key_id> --body test.txt
The upload succeeds and I see the following response
{
"SSEKMSKeyId": "arn:aws:kms:eu-central-1:<id>:key/<my_master_key>",
"ETag": "\"a4f4fdf078bdd5df758bf81b2d9bc94d\"",
"ServerSideEncryption": "aws:kms"
}
Also when checking the file in S3 I see in details that it has been encrypted server side with a proper master key.
The problem is that when I download the file with a user not having a permission to use the KMS master key, I can open and read the file without a problem, when it should be encrypted.
Note: I also have PutObject policy denying all uploads without server-side encryption, which works fine.
I wonder if I misunderstand the server side encryption, or do I do something wrong? Any help is appreciated.
Unfortunately, I think you misunderstood server-side encryption in S3. Like you pointed yourself, from S3 server-side encryption (SSE) docs:
Server-side encryption is about protecting data at rest.
When S3 receives your object, it calls KMS to create a data key, encrypts your data with that data key (not the master key), and stores the encrypted data key along with the encrypted data.
When you try to download the encrypted files, S3 sees it has been encrypted, asks KMS to decrypt the data key (using the master key), and then uses the decrypted data key to decrypt the data before returning to you. My understanding from the docs and from the way SSE and KMS work is that there is no assumption on the user needing to have access to the master key for that to work -- it suffices that S3 has access to it.
The use case you described is more similar to S3 client-side encryption:
Client-side encryption refers to encrypting data before sending it to
Amazon S3.
In this scenario, the S3 client (instead of S3 on the backend) will ask for a KMS data key (derived from the master key), encrypt data client-side and upload it. It will not be possible to decrypt it on the server, and when clients download the (encrypted) files, decryption needs to happen client-side (the S3 client deals with that for you, though).