AWS All-in-One Security Guide: Design, Build, Monitor, and Manage a Fortified Application Ecosystem on AWS by Adrin Mukherjee

Author:Adrin Mukherjee [Mukherjee, Adrin]
Language: eng
Format: epub
Publisher: BPB Publications
Published: 2022-01-15T00:00:00+00:00

Client-side encryption

Client-side encryption can serve as the security of objects in transit. With this strategy, we (or customers) can encrypt the data/objects before sending the same to Amazon S3. The decryption of the objects also takes place after these have been downloaded from Amazon S3. There are essentially two options for enabling the client-side encryption, which are as follows:

Use a CMK stored in AWS KMS In this case, while uploading an object to S3, we can make a request to AWS KMS for a symmetric data key by passing the key-id of an existing CMK. In response, we will get a plaintext version of the data key which is used to encrypt the data/object and an encrypted version of the same data key which can be uploaded to Amazon S3 as object metadata.

During decryption, we can first download the encrypted object from Amazon S3, along with the object metadata that contains the encrypted version of the symmetric data key. Then, we can send a request to AWS KMS to decrypt the encrypted version of the data key by passing the cipher blob (from object metadata) and the CMK key-id. In response, AWS KMS will send the plaintext version of the data key, which should be used to decrypt the encrypted data/object.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.