Content encryption for S3

S3 provides options for content encryption to protect data in storage.

S3 provides two options to protect data at rest:
  • Server-side encryption
    • S3 encrypts the data as it writes it to disks in its data centers and decrypts it for you when you access it.
    • S3 supports using AWS-managed encryption keys or using customer-provided encryption keys.
    • Encryption is accomplished by sending the encryption information in the AWS specific headers for the REST request.
  • Client-side encryption
    • Refers to encrypting data before sending it to S3.
    • S3 supports using an AWS KMS-managed customer master key or a client-side master key.

Content Platform Engine does not support any of the AWS client-Side encryption or AWS server-Side encryption with customer-provided keys. For AWS server side encryption, you can configure the bucket with automatic server side encryption. AWS automatically encrypts the content with either AES-256 using server-side encryption with S3-Managed Keys (SSE-S3) or using server-side encryption with KMS-Managed Keys (SSE-KMS).

To use S3 KMS server side encryption, make sure that the KMS key policy and the IAM (Identity Access Management) user policy both allow the following the actions for the user account:
  • KMS:Encrypt
  • KMS:Decrypt
  • KMS:ReEncrypt*
  • KMS:GenerateDataKey
  • KMS:DescribeKey
Note: AWS S3 supports bucket policies to require server-side encryption for all objects in the bucket. For such buckets, the Content Platform Engine S3 content upload fails. It occurs because the Content Platform Engine upload request does not include the x-amz-server-side-encryption header that requests server-side encryption. Hence, a bucket that is defined with such policies cannot be used for S3 advanced storage device or S3 fixed content device.