New – Amazon S3 Server Side Encryption for Data at Rest
A lot of technical tasks that seem simple in theory are often very complex to implement. For example, let’s say that you want to encrypt all of the data that you store in Amazon S3. You need to choose an encryption algorithm, create and store keys (while keeping the keys themselves safe from prying eyes), and “bottleneck” your code to ensure that encryption happens as part of every PUT operation and decryption happens as part of every GET operation. You must take care to store the keys in durable fashion, lest you lose them along with access to your encrypted data.
In order to save you from going through all of this trouble (and to let you focus on your next killer app), we have implemented Server Side Encryption (SSE) for Amazon S3 to make it easier for you to store your data in encrypted form. You can now request encrypted storage when you store a new object in Amazon S3 or when you copy an existing object. We believe that this important (and often-requested) new feature will be welcomed by our enterprise customers, perhaps as part of an overall strategy to encrypt sensitive data for regulatory or compliance reasons.
Amazon S3 Server Side Encryption handles all encryption, decryption, and key management in a totally transparent fashion. When you PUT an object and request encryption (in an HTTP header supplied as part of the PUT), we generate a unique key, encrypt your data with the key, and then encrypt the key with a master key. For added protection, keys are stored in hosts that are separate and distinct from those used to store your data. Here’s a diagram of the PUT process for a request that specifies SSE:
Decryption of the encrypted data requires no effort on your part. When you GET an encrypted object, we fetch and decrypt the key, and then use it to decrypt your data. We also include an extra header in the response to the GET to let you know that the data was stored in encrypted form in Amazon S3.
We encrypt your data using 256-bit AES encryption, also known as AES-256, one of the strongest block ciphers available. You can apply encryption to data stored using Amazon S3’s Standard or Reduced Redundancy Storage options. The entire encryption, key management, and decryption process is inspected and verified internally on a regular basis as part of our existing audit process.
You can use Amazon S3’s bucket policies to allow, mandate, or forbid encryption at the bucket or object level. You can use the AWS Management Console to upload and access encrypted objects.
To learn more, check out the Using Encryption section of the Amazon S3 Developer Guide.
— Jeff;
PS – There’s no additional charge for SSE.
相關推薦
New – Amazon S3 Server Side Encryption for Data at Rest
A lot of technical tasks that seem simple in theory are often very complex to implement. For example, let’s say that you want to encrypt
New – Server-Side Encryption for Amazon Simple Queue Service (SQS)
As one of the most venerable members of the AWS family of services, Amazon Simple Queue Service (SQS) is an essential part of many applications. P
New: Server-Side Encryption for Amazon Kinesis Streams
In this age of smart homes, big data, IoT devices, mobile phones, social networks, chatbots, and game consoles, streaming data scenarios are every
New – Encryption of Data at Rest for Amazon Elastic File System (EFS)
We launched Amazon Elastic File System in production form a little over a year ago (see Amazon Elastic File System – Production Ready in Three Reg
Amazon Athena – Interactive SQL Queries for Data in Amazon S3
The amount of data that we all have to deal with grows every day (I still keep a floppy disk or two around in order to remind myself that 1.44 MB
New Amazon S3 Encryption & Security Features
Back in 2006, when I announced S3, I wrote ” Further, each block is protected by an ACL (Access Control List) allowing the developer to keep the d
New – Encryption of Data in Transit for Amazon EFS
Amazon Elastic File System was designed to be the file system of choice for cloud-native applications that require shared access to file-based sto
New – VPC Endpoint for Amazon S3
I would like to tell you about a new AWS feature that will allow you to make even better use of Amazon Virtual Private Cloud and Amazon Simple Sto
New – Cross-Region Replication for Amazon S3
We launched Amazon S3 nine years ago as of last week! Since that time we have added dozens of features, expanded across the globe, and red
VWhy Google built a new search tool for data journalists
Why Google built a new search tool for data journalistsData journalism can deliver some of the most rewarding and valuable stories — but it can also be tim
Amazon Comprehend introduces new Region availability and language support for French, German, Italian, and Portuguese
Amazon Comprehend is a natural language processing (NLP) service that uses machine learning to find insights and relationships in text. The servic
Tutorial for building a Web Application with Amazon S3, Lambda, DynamoDB and API Gateway
Tutorial for building a Web Application with Amazon S3, Lambda, DynamoDB and API GatewayI recently attended Serverless Day at the AWS Loft in downtown San
Operationalizing Node.js for Server Side Rendering
We had blamed startup latency for latency that was actually caused by concurrent requests waiting on each other for use of the CPU. From our performance me
Introducing support for Amazon S3 Select in the AWS SDK for PHP
We’re excited to announce support for the Amazon Simple Storage Service (Amazon S3) SelectObjectContent API with event streams in the AWS SDK for
Ensure Data Integrity of Objects in Amazon S3
Note that when you modify the Windows system path from a command prompt, the change does not persist when Windows is restarted. If you want to
AWS Marketplace: Attunity CloudBeam for Amazon S3, EMR, Hadoop
Attunity CloudBeam for Amazon S3, EMR, Hadoop - Hourly
Test the Upload Speed of Amazon S3 Transfer Acceleration for a Specific File Size
Amazon Web Services is Hiring. Amazon Web Services (AWS) is a dynamic, growing business unit within Amazon.com. We are currently hiring So