CODEWITHSUNDEEP
amazon-web-servicesamazon-s3
Uday Tej
Uday Tej

Reputation: 111

How can we enable encryption for a particular folder in S3

I have created a S3 bucket.I want to encrypt a objects inside a specific folder in S3 bucket.How can I do that?

Upvotes: 3

Views: 3193

Answers (2)

amittn
amittn

Reputation: 2355

  • We have Server-Side Encryption and Client-Side Encryption
  • Protecting Data Using Server-Side Encryption You have three mutually exclusive options depending on how you choose to manage the encryption keys aws docs
  • Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
  • Use Server-Side Encryption with Keys Stored in AWS KMS (SSE-KMS)

  • Use Server-Side Encryption with Customer-Provided Keys (SSE-C)

    Protecting Data Using Server-Side Encryption (SSE-S3)

  • You can set the policy on the specific bucket to only allow encrypted data in for all the objects inside that bucket aws doc

  • Note in your case for S3 policy would be like this assuming this as the bucket structure outbound/globalscape/dlearn.

  • Go on to the aws console--> click on outbound folder --> and then on permissions --> bucket policy --> and paste the below policy and save

    S3 policy for the bucket

{
  "Version": "2012-10-17",
  "Id": "PutObjPolicy",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryptionHeader",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::outbound/globalscape/dlearn/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    },
    {
      "Sid": "DenyUnEncryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::outbound/globalscape/dlearn/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        }
      }
    }
  ]
}
  • The bucket policy denies permissions to upload an object unless the request includes the x-amz-server-side-encryption header to request server-side encryption.
"s3:x-amz-server-side-encryption": "AES256"
  • This aws blog How to Prevent Uploads of Unencrypted Objects to Amazon S3 which is basically doing the same to check go to (Implementing use case #1: Using SSE-S3 managed keys) in the blog.
  • In the above blog go to Testing the solutions where in they are using Policy Simulator to test. There as well the user policy which they have given you will have to replace this bit "Resource": "arn:aws:s3:::outbound/globalscape/dlearn/*" object in the image attached again has to be your bucket arn:aws:s3:::outbound/globalscape/dlearn/.
  • you can then test it once keeping the value AES256 and once keeping it blank.

enter image description here

Upvotes: 1

Juned Ahsan
Juned Ahsan

Reputation: 68715

Encrypting a folder using the Amazon S3 console

  1. Open the Amazon S3 console.

  2. Navigate to the folder that you want to encrypt.

  3. Select the folder, and then choose Actions.

  4. Choose Change encryption.

  5. For Change encryption, select AWS-KMS.

  6. For Select a key, select the AWS KMS key that you want to encrypt the folder with.

  7. Choose Save.

Upvotes: 1

Related Questions