I. Introduction

  1. Amazon S3 allows people to store objects (files) in buckets (directories).

  2. Charged for data stored per month e.g. GB-month

  3. Buckets must have a globally unique name.

  4. Buckets are defined at the region level.

  5. S3 is a global service.

  6. Naming convention

    1. No uppercase
    2. No underscore
    3. 3-63 characters long
    4. Not an IP
    5. Must start with lower case letter or number

  7. Objects

    1. They are files and have a key

    2. You can directly upload with pre-signed URLs if the web server is stressed

    3. The largest object that can be uploaded in a single PUT is 5GB

    4. The key is the full path (s3://my-bucket/folder/test.txt)

    5. Key = Prefix + Object name

      1. Prefix = folder
      2. Object name = test.txt

    6. Object values are the contents of the file (max size 5TB)

    7. If uploading more than 5GB, use multi-part upload

    8. Metadata (list of text key / value pairs - system or user metadata)

    9. Tags (Unicode key/value pair - up to 10) - useful for security/lifecycle

    10. Version ID (if versioning is enabled)

    11. If you add files and then enable versioning, the existing files will have "null" version

II. Encryption

A customer master key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The CMK also contains the key material used to encrypt and decrypt data. You can use a CMK to encrypt and decrypt up to 4 KB (4096 bytes) of data. Typically, you use CMKs to generate, encrypt, and decrypt the data keys that you use outside of AWS KMS to encrypt your data. This strategy is known as envelope encryption.

https://prod-files-secure.s3.us-west-2.amazonaws.com/4b1ebf36-c889-4d85-858e-cb2146e77ba5/b827401d-4143-4ab1-b960-3c789b71571f/Screen_Shot_2020-10-04_at_1.26.37_PM.png

  1. Four methods to encrypt objects in S3

    1. SSE-S3

      1. Encrypts S3 objects using keys handled and managed by S3
      2. The above key is encrypted itself using a master key that is regularly rotated
      3. AES-256 encryption type
      4. Must set header: "x-amz-server-side-encryption": "AES256"

    2. SSE-KMS

      1. Leverages the KMS service to encrypt
      2. Separate permission for CMK and data key
      3. Complete key-rotation control
      4. Envelope encryption
      5. KMS advantage includes user control and audit trail
      6. Must set header: "x-amz-server-side-encryption": "aws:kms"

    3. SSE-C

      1. For managing your own keys i.e. AWS does not provide keys
      2. Must use HTTPS
      3. Encryption key must be provided every time (for every HTTP request)

    4. Client-side encryption

      1. Can be used using AWS S3 Encryption client
      2. Must encrypt themselves BEFORE sending
      3. Must decrypt themselves AFTER retrieving

  2. Encryption in transit

    1. S3 exposes both HTTP and HTTPS endpoints
    2. Most clients will use HTTPS

  3. You may enable default encryption for a bucket.

Untitled

III. Security

  1. User based
    1. IAM policies — which API calls should be allowed for a specific user from IAM console
    2. Prefer IAM over bucket policies