Amazon S3one of the services of object storage the more popular ones use proprietary server-side encryption called SSE-S3, which encrypts each object with a unique 256-bit AES key and then encrypts the key itself. Previously, customers had to manually enable SSE-S3. Now it’s automatic. Default encryption comes at no additional cost to customers and has been available since January 5 in all AWS Regions, including AWS GovCloud and AWS China, according to a ticket from the AWS blog.
Unless users take retroactive action, the encryption status of the approximately 280 trillion existing objects will not change, according to the cloud computing provider.
This aligns AWS with Microsoft Azure and Google Cloud, which have used encryption at rest by default for several years. Other vendors, including Oracle Cloud Infrastructure, have also standardized on this practice.
According to Dave Raffo, principal analyst at Evaluator Group, this is a positive step to protect customer data. Customers have come to expect data encryption by default, which has become an unspoken industry standard. Some may incorrectly assume that S3 automatically provides this service.
“Get this benefit without having to upgrade or pay extra…Users expect and demand it.” Security is a big topic these days,” insists Dave Raffo.
Several server-side encryption options
In fact, AWS customers have been able to use object encryption in S3 since 2011. The SSE-S3 protocol renders data hosted in a storage system generally unreadable and unusable to humans unless it is translated with a encryption key. It places the management of object data encryption and access keys to that data under the responsibility of AWS.
Customers have two other options for encrypting data in buckets, including the ability to manage the keys themselves (SSE-C) and to use AWSKMS extension (SSE-KMS) to get an additional level of authorization and audit trail. The client-side functionality has also been available for longer.
“We spoke very soon [que] customers really wanted to enable encryption at rest,” said Kevin Miller, vice president and general manager of Amazon S3. He notes that most objects created in the service typically leverage encryption features.
But making encryption at rest the default required additional testing to ensure that no existing applications were broken by this change, according to Kevin Miller.
“When we make changes like this, we’re super paranoid, every client application should work normally,” he says. “We never changed the default bucket values. It’s the first time we’ve done it.”
An ounce of prevention
AWS’ transition to encryption by default was likely driven by advances in global data protection laws and policies, according to Marc Staimer, president of Dragon Slayer Consulting. In Europe, the supplier presents this technique as the main bulwark against sovereignty issues.
While encryption can protect data, it’s not a complete security strategy by itself, cautions Marc Staimer. Encrypted data at rest, as it is written to hard drives located in AWS data centers. The data is decrypted upon access by the user. This means that the data is still vulnerable to exposure if someone gets your login information through programs like keyloggers or social engineering efforts.
“Most access is not directly to storage. It’s done through the app,” says Marc Staimer. “Every time you present a good defense, the bad guys find a way around it.”
In recent years, AWS has focused on ensuring that customers not only understand how they can protect data in AWS, but also how the hyperscaler’s shared responsibility model for security requires proactive action on their part. This includes the changes built for S3 bucket security since April 2023.
These changes will change two default settings for newly created S3 buckets to block all public access and lock object ownership to the bucket owner by disabling default ACLs. Changing any of these settings will require manual configuration.
In the blog post, AWS clarifies that these two changes are already the default settings when using the AWS console for creating S3 buckets and are considered security best practices.
This won’t be the last time AWS may take a more hands-on approach to hardening data security. Kevin Miller says the hyperscaler continues to look for ways to protect customer data and implement default settings to encourage best practices.
“You’ll see us making changes to the default settings where we can increase immediate security,” he says.