AWS provides various options to encrypt your data on S3.
There are 2 types of encryption:
Client side: Client encrypts locally using tool/software of their choices
Server Side encryption: Choose from available choices in AWS
In this video, our focus will be Server Side Encryption (SSE) since Client side is open to your preference/choices/requirement.
Server Side has 3 types of encryption as well:
SSE-S3: One click encryption
SSE-KMS: Using KMS
SSE-C: Not available in console. Customer provides the keys
Encrypt a file using SSE S3:
$ aws s3 cp abcd.txt s3://kms-test11 –sse
To create a kms key:
$ aws kms create-key -description “my kms key”
List all the keys:
$aws kms aws kms list-keys
This will not help us identify the correct key. Create an Alias for the key we created:
aws kms create-alias –alias-name alias/example-alias –target-key-id 1234abcd-12ab-34cd-56ef-1234567890ab
Then let’s list the alias of the keys as well.
$ aws kms list-aliases
To upload and encrypt a file to S3 bucket using your KMS key:
aws s3 cp file.txt s3://kms-test11 –sse aws:kms –sse-kms-key-id 4dabac80-8a9b-4ada-b3af-fc0faaaac5
Upload and encrypt a file using default KMS Key for S3 in the region:
aws s3 cp file.txt s3://kms-test11 –sse aws:kms
Want more information on how to become Amazon AWS Certified? Learn more!