Encryption best practices for Amazon S3

Amazon Simple Storage Service (Amazon S3) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data.

For server-side encryption in Amazon S3, there are three options:

• Server-side encryption with Amazon S3-managed encryption keys (SSE-S3)

• Server-side encryption with AWS Key Management Service (SSE-KMS)

• Server-side encryption with customer-provided encryption keys (SSE-C)

Amazon S3 applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance. The automatic encryption status for S3 bucket default encryption configuration and for new object uploads is available in AWS CloudTrail logs, S3 Inventory, S3 Storage Lens, the Amazon S3 console, and as an additional Amazon S3 API response header in the AWS Command Line Interface (AWS CLI) and AWS SDKs. For more information, see Default encryption FAQ.

If server-side encryption is used to encrypt an object at the time of upload, add the x-amz-server-side-encryption header to the request to tell Amazon S3 to encrypt the object using SSE-S3, SSE-KMS, or SSE-C. The following are the possible values for the x-amz-server-side-encryption header:

• AES256, which tells Amazon S3 to use Amazon S3 managed keys.

• aws:kms, which tells Amazon S3 to use AWS KMS managed keys.

• Setting value as True or False for SSE-C

For more information, see Defense-in-depth requirement 1: Data must be encrypted at rest and during transit in How to Use Bucket Policies and Apply Defense-in-Depth to Help Secure Your Amazon S3 Data (AWS blog post).

For client-side encryption in Amazon S3, there are two options:

• A key stored in AWS KMS

• A key that is stored within the application

Consider the following encryption best practices for this service:

• In AWS Config, implement the s3-bucket-server-side-encryption-enabled AWS managed rule to validate and enforce S3 bucket encryption.

• Deploy an Amazon S3 bucket policy that validates that all objects being uploaded are encrypted using the s3:x-amz-server-side-encryption condition. For more information, see the example bucket policy in Protecting data using SSE-S3 and the instructions in Adding a bucket policy.

• Allow only encrypted connections over HTTPS (TLS) by using the aws:SecureTransport condition on S3 bucket policies. For more information, see What S3 bucket policy should I use to comply with the AWS Config rule s3-bucket-ssl-requests-only?

• In AWS Config, implement the s3-bucket-ssl-requests-only AWS managed rule to require requests to use SSL.

• Use a customer managed key when you need to grant cross-account access to Amazon S3 objects. Configure the key policy to allow access from another AWS account.