Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Force Server Side Encryption for S3 Bucket

Tags:

amazon-web-services

amazon-s3

encryption

emr

I want to set an S3 bucket policy so that all requests to upload to that bucket will use server side encryption, even if it is not specified in the request header.

I have seen this post (Amazon S3 Server Side Encryption Bucket Policy problems) where someone has managed to set a bucket policy that denies all put requests that don't specify server side encryption, but I don't want to deny, I want the puts to succeed but use server side encryption.

My issue is with streaming the output from EMR to my S3 bucket, I don't control the code that is making the requests, and it seems to me that server side encryption must be specified on a per request basis.

like image 269
qwwqwwq Avatar asked Apr 14 '14 20:04

qwwqwwq

1 Answers

IMHO There is no way to automatically tell Amazon S3 to turn on SSE for every PUT requests. So, what I would investigate is the following :

  • write a script that list your bucket

  • for each object, get the meta data

  • if SSE is not enabled, use the PUT COPY API (http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html) to add SSE "(...) When copying an object, you can preserve most of the metadata (default) or specify new metadata (...)"

  • If the PUT operation succeeded, use the DELETE object API to delete the original object

Then run that script on an hourly or daily basis, depending on your business requirements. You can use S3 API in Python (http://boto.readthedocs.org/en/latest/ref/s3.html) to make it easier to write the script.

If this "change-after-write" solution is not valid for you business wise, you can work at different level (aligned with Julio's answer above)

  • use a proxy between your API client and S3 API (like a reverse proxy on your site), and configure it to add the SSE HTTP header for every PUT / POST requests. Developer must go through the proxy and not be authorised to issue requests against S3 API endpoints

  • write a wrapper library to add the SSE meta data automatically and oblige developer to use your library on top of the SDK.

The later today are a matter of discipline in the organisation, as it is not easy to enforce them at a technical level.

Seb

like image 75
Sébastien Stormacq Avatar answered Oct 01 '22 19:10

Sébastien Stormacq
Sign in to Comment

Related questions

data encryption and key management in c#
Web.Config encryption using RsaProtectedConfigurationProvider - "Bad Data" error
Is it possible to salt and or hash HOTP/TOTP secret on the server?
Encryption and Decryption between Java and Javascript won't work
encrypt and decrypt property file value in java
Python Data Extraction from an Encrypted PDF
How to decrypt an AES-256-CBC encrypted string
Unique IVs producing identical ciphertext using attr_encrypted
MySQL and data file encryption
Connect to Open WiFi
javax.crypto.IllegalBlockSizeException: last block incomplete in decryption - Decrypting an encrypted AES String
Hashing SSNs and other limited-domain information
GWT/Javascript client side password encryption
Why isn't salt required to compare whether password is correct in bcrypt?
Securing xml plists in Cocoa / Objective C
Signup or Invitation Email Verification w/o Database
How to do AES decryption using OpenSSL
Laravel Eloquent - Encrypting/Decrypt Data on call
MCrypt rijndael-128 to OpenSSL aes-128-ecb conversion
Equivalent of PHP's crypt function in Java

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!