AWS Server-side encryption (SSE At Rest) - Overview.
Scope:
- Intro,
- AWS offers three primary key management options for SSE,
- Key Benefits,
- Architecture,
- The Concept of
- Core Components,
- Types of Server-Side Encryption, Description & use Cases,
- AWS Services Using SSE,
- Encryption/Decryption Flow (step-by-step through S3 with SSE-KMS),
- KMS (key Management Service) Integration Details,
- Envelope-Encryption-Architecture,
- Best Practices,
- SSE (Server-Side Encryption) vs. CSE (Client-Side Encryption).
Intro:
- AWS Server-side Encryption (SSE) protects data at rest by encrypting it at its destination—the server or service that receives it.
- The process typically uses 256-bit Advanced Encryption Standard (AES-256) to secure objects before they are written to disk and decrypts them only when accessed by an authorized user.
- SSE-S3 (Amazon S3-Managed Keys): AWS manages the entire encryption and decryption process, including key rotation.
- It is the simplest method and is enabled by default for all new S3 object uploads.
- SSE-KMS (AWS Key Management Service): This provides more control and visibility into key usage.
- It allows for fine-grained access control, key rotation management, and detailed audit trails through AWS CloudTrail.
- SSE-C (Customer-Provided Keys): twtech manage its own encryption keys and must provide them with every upload or download request.
- AWS uses twtech key to perform the encryption but does not store the key itself.
- AWS has begun disabling SSE-C by default for new buckets in favor of SSE-KMS.
- A specialized variant, DSSE-KMS (Dual-layer Server-Side Encryption), applies two independent layers of encryption at the object level for highly regulated workloads.
- Compliance: Helps meet regulatory requirements for data protection at the storage layer.
- Security Isolation: Keys are often stored on separate hosts from the data they protect.
- Operational Simplicity: Producers and consumers do not need to manage complex cryptographic operations locally.
The Concept of
- Server-Side Encryption (SSE) means AWS encrypts twtech data at rest on its behalf, before saving it to disk (e.g., in S3, EBS, RDS, DynamoDB, etc.).
- AWS decrypts data transparently when twtech accesses it.
- twtech doesn’t have to handle encryption/decryption in its application code.
- AWS does the encryption/decryption on the code from the server side.
Core Components
1.
Data Encryption Keys (DEK)
- Each object or resource (e.g., S3 object,
EBS volume) is encrypted using a unique symmetric key — the DEK.
- AWS never stores your data unencrypted; DEKs are protected by wrapping them with a Customer Master Key (CMK).
2.
Customer Master Key (CMK) / KMS Key
- Managed in AWS Key Management Service
(KMS).
- Used to encrypt (wrap) and decrypt (unwrap) the DEK.
- CMKs are rotated, audited, and secured in HSMs (FIPS 140-2 Level 3).
3.
Envelope Encryption
AWS uses envelope encryption to
optimize performance:
- Generate a unique DEK for each
object.
- Encrypt the data using that DEK.
- Encrypt (wrap) the DEK with a CMK.
- Store both:
- The encrypted data
- The encrypted DEK (ciphertext key) alongside it
Types of Server-Side
Encryption, Description & use Cases
|
Encryption
Type |
Key
Managed By |
Description |
Sample
Use Case |
|
SSE-S3 |
AWS S3 |
AWS manages the keys automatically |
Default for S3 buckets |
|
SSE-KMS |
AWS KMS |
Uses KMS CMKs; gives you audit
control, rotation, and grants |
Compliance & audit-heavy
environments |
|
SSE-C |
Customer |
twtech supplies the encryption key
with each request |
When you must fully manage keys
yourself |
AWS Services Using SSE,
|
Service |
Encryption
Mechanism |
Key
Management |
|
Amazon S3 |
SSE-S3 / SSE-KMS / SSE-C |
S3 or KMS |
|
Amazon EBS |
AES-256 (via KMS) |
KMS CMK |
|
Amazon RDS |
Transparent Data Encryption (TDE) or KMS |
KMS CMK |
|
Amazon DynamoDB |
AES-256 (via KMS) |
KMS CMK |
|
Amazon SQS / SNS /
Lambda |
KMS |
KMS CMK |
Encryption/Decryption Flow (step-by-step through S3 with SSE-KMS):
1.
Upload (Write Path)
- App uploads object to S3 with SSE-KMS
enabled.
- S3 calls KMS GenerateDataKey API:
- Returns:
- Plaintext DEK
- Encrypted DEK (ciphertext key) wrapped with CMK
- S3 encrypts the object data with the
plaintext DEK (AES-256).
- S3 stores:
- The encrypted data
- The encrypted DEK (ciphertext key)
- Metadata indicating which CMK was used
- The plaintext DEK is discarded
immediately.
2.
Read (Decrypt Path)
- App requests the object.
- S3 retrieves:
- Encrypted object data
- Encrypted DEK
- S3 sends the encrypted DEK to KMS
(Decrypt API).
- KMS returns the plaintext DEK (if IAM
permissions allow).
- S3 decrypts the data with the DEK and
returns plaintext to the app.
- The plaintext DEK is again discarded
after use.
KMS (key
Management Service) Integration Details
KMS APIs involved in
SSE:
- GenerateDataKey – Creates a DEK (plaintext +
encrypted copy)
- Encrypt – Encrypts plaintext data or keys
- Decrypt – Decrypts encrypted DEKs
- ReEncrypt – Re-wraps data keys with a new CMK
- DescribeKey – Fetches metadata and policy details
- ListKeys / ListAliases – Key management and discovery
CMK (Customer-Managed Keys) Policies
- Control which IAM principals can:
- Use the key (kms:Encrypt, kms:Decrypt)
- Administer it (kms:CreateKey, kms:ScheduleKeyDeletion)
Envelope-Encryption-Architecture
Best Practices
- Use SSE-KMS for most workloads — strong audit and access control.
- Enable bucket default encryption (S3) to enforce encryption at upload.
- Use key policies + IAM policies to restrict usage.
- Rotate CMKs automatically (yearly by default).
- Enable CloudTrail logging for all KMS API calls.
- Limit KMS grants and aliases to prevent privilege escalation.
SSE (Server-Side Encryption) vs. CSE (Client-Side Encryption).
|
Aspect |
Server-Side
Encryption |
Client-Side
Encryption |
|
Encryption
location |
AWS Service |
Application |
|
Key
control |
AWS / twtech (via KMS) |
Full customer control |
|
Auditability |
High (via CloudTrail, KMS) |
Depends on implementation |
|
Performance |
Optimized / transparent |
App-level overhead |
|
Compliance |
Built into AWS services |
Custom implementation required |
No comments:
Post a Comment