Tuesday, June 24, 2025

Amazon S3 Encryption | SSE-C.

 

Amazon S3 Encryption – SSE-C (Server-Side Encryption with Customer-Provided Keys)

SSE-C allows twtech to encrypt objects in Amazon S3 using keys that twtech provide and manage itself.

AWS uses twtech key to perform encryption and decryption but does not store the key. This offers maximum control over encryption keys but also comes with significant operational responsibilities.

 Key Features of SSE-C

Feature

Description

Encryption type

AES-256

Key management

Fully managed by twtech (the customer)

Key storage

Key is not stored in AWS (must be provided with each request)

Use case

Organizations needing full control over encryption keys, often for regulatory or internal policy reasons

Supported operations

Uploads, downloads, copy (with key), multipart uploads (with extra complexity)

CloudTrail logging

No key usage logging via CloudTrail since AWS doesn’t manage the keys

 How SSE-C Works

  1. Upload: twtech sends its encryption key along with the PUT request. AWS uses it to encrypt the object before storing it.
  2. Storage: AWS stores only the encrypted object, not your key.
  3. Download: twtech must provide the same key in the GET request for AWS to decrypt and return the object.

 If twtech loses its key, twtech data will become unrecoverable.

 How to Use SSE-C

When uploading or retrieving an object, include these HTTP headers:

  • Encryption request (upload):

# vbnet

 

x-amz-server-side-encryption-customer-algorithm: AES256

x-amz-server-side-encryption-customer-key: <base64-encoded-key>

x-amz-server-side-encryption-customer-key-MD5: <base64-encoded-MD5-of-key>

  • Decryption request (download):

#  vbnet

 

x-amz-server-side-encryption-customer-algorithm: AES256

x-amz-server-side-encryption-customer-key: <base64-encoded-key>

x-amz-server-side-encryption-customer-key-MD5: <base64-encoded-MD5-of-key>

SDKs like AWS CLI or SDK for Python (boto3) support these headers.

 Pros (Benefits)

  • twtech retain full control over encryption keys.
  • AWS never stores or logs your keys.
  • Suitable for strict regulatory or internal control requirements.

 Cons (Limitations)

Limitation

Description

Key must be provided with every request

Uploads, downloads, copies, multipart parts – all need the key.

High operational complexity

twtech must manage key distribution, rotation, and security.

No automatic key rotation

Unlike SSE-KMS, SSE-C requires manual rotation processes.

Incompatible with some features

SSE-C cannot be used with:
– S3 Replication
– S3 Transfer Acceleration
– S3 Select
– Object Lock
– Some S3 event notifications

No CloudTrail logging

Since AWS doesn’t handle the key, it can’t log KMS activity.

Data loss risk

If twtech loses the key, the object is permanently inaccessible.

 When to Use SSE-C

Use SSE-C only if:

  • twtech is required by regulation to supply its own keys and not allow AWS to manage them.
  • twtech have strong internal key management practices and infrastructure.
  • twtech don't need features like replication or advanced analytics that aren’t compatible with SSE-C.

For most use cases, SSE-KMS is a more secure and flexible alternative.


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Kubernetes Clusters | Upstream Vs Downstream.

  The terms "upstream" and "downstream" in the context of Kubernetes clusters often refer to the direction of code fl...