How to protect AWS S3 uploaded / downloaded data, in transit?

Question

When we upload data to S3, is it protected in transit by default (via HTTPS maybe)?

I found this article which, if I understand correctly, states S3 does not use HTTPS:

Amazon Simple Storage Service: You can still use HTTP with Amazon S3 and securely make authenticated requests. The service uses a different secure signing protocol.

Should we in this case protect the data in transit with Client-Side Encryption?

Answer 1

Quoting from the Security section of the S3 FAQs:

You can securely upload/download your data to Amazon S3 via SSL endpoints using the HTTPS protocol.

If you're using the https:// endpoint for S3, then your data in transit should be encrypted properly. The quote that you referred to in the question means that it's also possible to access S3 using http:// protocol, in which case the data wouldn't be encrypted in transit. See this related question.

If you were asking specifically about whether AWS CLI encrypts data in transit, then the answer is yes. See this question.

Also, please note that the primary purpose of using client-side encryption would be to encrypt data at rest, and to use an encryption algorithm of your own choosing. If you use client-side encryption but still use the http:// endpoint, your communication over the wire would still be unencrypted, technically speaking, because the cyphertexts being passed over the wire could be extracted by an attacker for analysis.

Update:

1. If you were asking specifically about AWS Java SDK, the default protocol is again https. Quoting from javadocs for AWS Java SDK:

By default, all service endpoints in all regions use the https protocol. To use http instead, specify it in the ClientConfiguration supplied at construction.

And from the javadocs for ClientConfiguration.getProtocol:

The default configuration is to use HTTPS for all requests for increased security.

2. Client-side/server-side encryption's primary purpose is to secure data at rest. If anyone was to break open your cloud provider's data center somehow and steal the disks that had your data, you're making it difficult for them to get hold of your data in plaintext by encrypting it either client-side/server-side. Doing it client-side gives you the benefit of having more control on the encryption algorithm with the seemingly additional side-effect of your data not being transmitted in plaintext over the wire. However, the communication channel itself is not encrypted. If you were using a weak encryption algorithm for example, an attacker could still sniff the encrypted data over the wire and decrypt it. Also, it's important to know that using SSL means:
   • You as the client can be sure you're talking to AWS
   • Your communication with AWS is encrypted, so others can't intercept it
   • You have verification that the message received is the same as the message sent

In essence, you definitely want to use SSL irrespective of whether you want to use client-side encryption or not.