S3 Security Flashcards
Encrypts S3 objects using keys handled, managed, and owned by AWS
Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
Leverage AWS Key Management Service (AWS KMS) to manage encryption keys
Server-Side Encryption with KMS Keys stored in AWS KMS (SSE-KMS)
When you want to manage your own encryption keys using keys fully managed by the customer outside of AWS
Server-Side Encryption with Customer-Provided Keys (SSE-C)
Does Amazon store the encryption key when using SSE-C?
No
Clients must encrypt data themselves before sending to Amazon S3 and when retrieving from Amazon S3. Customer fully manages the keys and encryption cycle
Client-Side Encryption
Encryption in flight is also called
SSL/TLS
S3 non encrypted endpoints
HTTP Endpoint
S3 encryption in flight
HTTPS Endpoint
S3 encryption automatically applied to new objects stored in S3 bucket
SSE-S3
Defines a way for client web applications that are loaded in one domain to interact with resources in a different domain
Cross-Origin Resource Sharing (CORS)
Create a Vault Lock Policy which locks the policy for future edits
Glacier Vault Lock
Block an object version deletion for a specified amount of time
S3 Object Lock
Retention mode where object versions can’t be overwritten or deleted by any user, including the root user
Retention mode - Compliance
Retention mode where most users can’t overwrite or delete an object version or alter its lock settings.some users have permission to change the retention or delete the object
Retention mode - Governance
Protect the object indefinitely, independent from retention period
Legal Hold
