Video 18 Amazon Web Services (AWS) Console & File Encryption
I show you how to give your S3 buckets military grade security by encrypting the files using AWS. I also explain the difference between SSE & SSE-C and why the former is much easier than the latter.
Running time is 5:32
Lesson Eighteen Read
This video will show you how to give the files in your S3 buckets military grade security by encrypting those files. There’s 2 different types of encryptions here – that’s the server-side encryption and the client-side encryption.
Now the server-side encryption is basically managed by Amazon. In other words, they handle the encrypting and the decrypting and all of the decrypting keys are encrypted as well and rotated on a regular basis. It’s pretty secure. With the client-side encryption, that requires you to actually manage all of the encryption keys and the decryption keys yourself, so it does require a little bit more of a learning curb when dealing with the client-side encryption or SSE-C. To keep things simple, I’m just going to stick with the server-side encryption and when I say simple, I mean really simple. In this video, we’re going to be using the server-side encryption through our AWS console.
In the next video, we’re going to do the same thing only with the third party tools that we’ve highlighted throughout this video series, that being Cloudberry S3 explorer, Cyberduck and Bucket Explorer, but for now go ahead and log in to your AWS console, come on over here to the left and click on S3, and click on one of the buckets here so we can check out one of the objects or files here, and let’s go ahead and go with the dollar sign money bag. Let’s go ahead and select that.
Come on over here to properties and under details you can see right here server-side encryption. You can just click on this next to AES which means advanced encryption standard and then click on save. It goes to the transferring process and done. That’s how easy it is to secure that particular object, but it can actually get even easier. Let’s go ahead and decrypt this one real quick. Click on no, click on save.
You can actually do the encryption in the upload process. Let’s go to upload, click on add files and then I’m going to go ahead and select the spring beanie, I don’t think that one’s up there yet. Nope, let’s go ahead and select this one. Click on open and then under set details, right here check that box, server-side encryption is done in the uploading process. Click on start upload, boom. Now if we go ahead and select this one and go to properties and click on none, so that it’s decrypted or no longer encrypted, un-encrypted.
Now then we can encrypt by selecting multiple files at the same time and then come over to properties once you’ve selected those files and then click right here on the radio button next to AES256, click on save, we’re doing all 3 objects, done. That’s how simple it is to encrypt multiple files at the same time.
Now let’s decrypt these because I want to show you one other thing too. Come on back to properties with those still selected. Click on none, click on save. Let’s say for example you have several people that have access to your AWS account and they regularly upload files into this bucket or any bucket for that matter or this what they call a bucket policy because so far we’ve dealt with user policies but you can actually create and enable a bucket policy that will prevent any files from being uploaded unless that person that uploaded them goes through that extra step and encrypts it during the upload process. Let me show you what I’m talking about.
Let’s come on back to the bucket and then click on properties, then go to permissions.
Then right here under Add Bucket Policy, I’m going to go ahead and add a bucket policy and you don’t have to worry about pausing the video to write this stuff down. I’m going to include this as a copy and paste text document along with this video, so all you have to do is copy it from the text document that I give you, paste it in this box here, make one change right here where it says ‘your bucket’ put in the name of the bucket that you want this policy to work with and in this case it’s my.demo-bucket and then click on save. That simple.
Now then, whenever somebody tries to upload an image that’s not encrypted, it’s not going to work or if someone tries to remove the encryption from one of these already encrypted files or objects, it’s not going to let him. Let me show you. Let’s go ahead and upload. Go to add files. Let’s try this one this time. I don’t think I have that one in there, nope. Click on open and click on start upload because I want to be lazy and not do anything about the details. See the transfer take place but it’s not going to let us because it was not encrypted. Now let’s do the same thing, only this time add file, select file, click on open, go to set details, use server-side encryption, click on start upload, the same file only this time it’s done because it did what that bucket policy required.
And if we try to remove or un-encrypt that file, go ahead and select that, come on over to properties, click on details, go to none, so you see it was encrypted but now we want none, click on save, and because of that bucket policy’s in place, it’s not going to let it happen. Pretty powerful stuff.
And that’s going to bring us to the end of this video on how to encrypt your S3 bucket files using AWS console. Thanks for watching and you have a great day.