New Amazon S3 encryption and security features introduced

Amazon Web Services has announced the availability of five new encryption and security features for the Amazon S3 cloud storage service.

These include:

  • Default object encryption;
  • Permission Checks;
  • Cross-Region Replication Access Control List Overwrite;
  • Cross-Region Replication with AWS Key Management Service; and
  • A detailed inventory report that can be encrypted, and that includes the encryption status of each object.

More on the new features

The Default Encryption option makes it possible to mandate that all objects in a bucket must be stored in encrypted form by installing a bucket encryption configuration.

The option can be enabled through the S3 console when users create a new bucket:

Amazon S3 encryption

“If an unencrypted object is presented to S3 and the configuration indicates that encryption must be used, the object will be encrypted using encryption option specified for the bucket,” AWS Chief Evangelist Jeff Barr explained.

Other ways to make the change are also available, but users also need to keep several things in mind when they implement the feature.

The Permission Checks feature allows users to see the impact of changes to their bucket policies and Access Control Lists as soon as they make them.

There are now prominent indicators of the public accessibility of S3 buckets, meaning that it will be difficult for users to inadvertently open up a bucket for public access and not notice it.

Cross-Region Replication ACL Overwrite makes it possible for users to easily transfer the ownership of copies of objects to owners of destination buckets, as well as set up the key policy for the destination bucket in the destination account.

Cross-Region Replication with AWS Key Management Service allows easier cross-region replication.

Amazon S3 encryption

“Because the KMS keys are specific to a particular region, simply replicating the encrypted object would not work,” Barr pointed out.

“You can now choose the destination key when you set up cross-region replication. During the replication process, encrypted objects are replicated to the destination over an SSL connection. At the destination, the data key is encrypted with the KMS master key you specified in the replication configuration. The object remains in its original, encrypted form throughout; only the envelope containing the keys is actually changed.”

Finally, from now on, daily or weekly S3 inventory reports can, on request, include information on the encryption status of each object, and they can be encrypted themselves.