Amazon S3 now encrypts data by default

The storage service on the clouds Amazon’s Simple Storage Service (S3) now encrypts all new objects added to server-side bucketsno additional cost.

In an announcement on the Amazon Web Services (AWS) blog, the company says that while encryption has always been easy to enable, administrators always had to be mindful of this feature, whereas now the encryption process is “zero clicks”, with no impact on performance.

Existing Amazon S3 customers can verify that their objects are encrypted in the S3 section of the AWS Management Console, and confirm the change by configuring AWS CloudTrail to log data events, although this incurs an additional cost.

Amazon S3’s default encryption method, SSE-S3, uses the AES-256 standardwhich has been an optional feature of Amazon S3 since 2011. Here, Amazon generates and manages keys, with no action required from an end user.

In the announcement, Sébastien Stormacq, Senior Developer Advocate at AWS, writes that “the opt-in nature of SSE-S3 meant you had to be sure it was always configured on new buckets and verify that it remained configured correctly over time“. “For organizations that require all of their objects to remain encrypted at rest with SSE-S3, this update helps meet their encryption compliance requirements without additional tools or customer configuration changes“.

Good news

For advanced users looking for more control over the encryption process, the service also offers customer-provided encryption keys (SSE-C), AWS Key Management Service keys (SSE-KMS), as well as client-side encryption, by a library such as the Amazon S3 encryption client, as a means of protecting the data.

Many IT administrators will appreciate the variety of ways to secure data, but the simple nature of SSE-S3, which does not require additional knowledge (and now input) on their part, may appeal to small businesses looking to secure their data.

According to Amazon, the change has been rolled out to all regions where AWS is available. Existing customers can also retroactively encrypt their data by following instructions in another AWS blog post.

Leave a Comment