Effectively implemented encryption within the bucket by applying a comprehensive bucket policy
Create a New Bucket for Encryption
Click on "Bucket" on the left side bar. Then click on "Create bucket".
- Give the new bucket a unique name
- Scroll down to "Default encryption". Make sure "SSE-S3" is selected. Then, click on "Create bucket".
- SSE-S3: Amazon automatically handles key management on our behalf, alleviating any concerns or responsibilities related to key management.
- SSE-KMS: Both you and Amazon jointly manage the encryption key, with the keys securely stored within AWS KMS (Amazon Web Services Key Management Service), the designated key management service provided by AWS.
Upload Object to the New Bucket
- Click on the new bucket.
- Click on "Upload".
- Click on "Add files". Select "Text File1.txt". Then, click on "Upload".
- Note that we have successfully uploaded the object and the object is encrypted by AWS using S3 managed keys.
Disable the Encryption on the New Bucket
- Navigate to the new bucket interface. Then, click on "Properties".
- Scroll down, "click on "Edit" on Default encryption section.
- For Bucket Key, select "Disable". Then, click on "Save changes".
- Note: We have successfully disable the encryption.
Create a Bucket Policy that Enforce the use of S3 Service Side Encryption
- Navigate to the bucket policies by clicking on "Permissions".
- Click on "Edit" on Bucket policy.
- Click on "Policy generator".
- New window will open. Put in the following information:
- For Seclect Type of Policy: "S3 Bucket Policy".
- For Effect: select "Deny".
- For Principal: "*". (Apply to all)
- AWS Service: "Amazon S3".
- For Actions: select "PutObject".
- For ARN:
- Navigate back to the Edit bucket policy window, copy the Bucket ARN.
- Click on "Add Conditions (Optional)".
- For Condition: select "StringNotEquals".
- For Key: select "s3:x-amz-server-side-encryption".
- For value: "aws:kms".
- Click on "Add Condition". Then click on "Add Statement".
- Click on "Generate Policy".
- Copy the Policy JSON Document.
- Navigate back to the Edit bucket policy window, paste the Policy JSON Document in the "Policy" section.
- Edit the "Resource" line.
- add "/*" at the end of the line, before the "".
- Click on "Save changes".
- Note: Successfully edited the bucket policy.
Try Uploading an Unencrypted Object to the New Bucket
- Click on "Object".
- Click on "Upload".
- Click on "Add files", select "Text File2.txt".
- Click on expand "Properties". Then scroll down and make sure server-side encryption is "Do not specify an encryption key".
- Click on "Upload".
- The object failed to upload.
- Note: it failed because we have enforced encryption on the bucket using bucket policy. Any object that is not encrypted will not be uploaded.
Try Uploading an Encrypted Object to the New Bucket
- Click on "Object".
- Click on "Upload".
- Click on "Add files", select "Text File2.txt".
- Click on expand "Properties". Then scroll down and select server-side encryption is "Specify an encryption key".
- Select: "Override bucket settings for default encryption".
- Select: "SSE-KMS".
- Select: "Choose from your AWS KMS keys".
- Select: the available KMS key.
- Scroll down, click on upload.
- Successfully uploaded the object.
Task 4: S3 Versioning
Key Takeaways
- Set up S3 bucket with versioning enabled. Then upload versions of the same object in the bucket.
Create a New Bucket with Versioning Enable
- Click on "Bucket" on the left side bar. Then click on "Create bucket".
- Give the new bucket a unique name
- Scroll down, uncheck the box for "Block all public access".
- Check the box for: "I acknowledge".
- Enable Bucket Versioning. Then, click on "Create bucket" at the bottom of the page.
Upload Object into the New Bucket
- Click on the new bucket.
- Click on "Upload".
- Click on "Add files". Select "Text File1.txt". Then, click on "Upload".
Access the New Object using Object URL
- Navigate back to the Object interface by clicking on close.
- Check the box for "Text File1.txt".
- Click on action and select "Make public using ACL".
- Click on "Make public".
- Click on "Close" on the top right corner.
- Click on "Text File1.txt".
- Click on the "Object URL".
- Successfully access the object.
Edit Text File1.txt Then Upload it Again and Try to Access Object URL
- Edit Text File1.txt by clicking on the .txt file on your computer.
- Write "This is version 2." Then save the .txt file.
- Upload the next "Text File1.txt to the new bucket again.
- After uploading, navigate to the Object interface by clicking on close.
- Click on "Show versions".
- Click on the newer version of "Text File1.txt".
- Click on "Object URL".
- Access Denied.
- Return to the Object interface page.
- Click on "Show versions".
- Check the box for the newer versions of "Text File1.txt".
- Click on "Actions". Then, select "Make public using ACL".
- Click on "Make public".
- Try accessing the "Object URL". And Access Granted.
- Note: We have to make public separately if we make a new versioning.
Deleting an Object
- Return to the Object interface page.
- Check the box for "Text File1.txt".
- Click "Delete".
- Type in: "delete". Then, click on "Delete objects".
- Return to the Object interface page.
- Not Object shown in the bucket.
- Click on "Show versions".
- Check the box for "Text File1.txt" with the Delete marker.
- Click on "Delete".
- Type in: "permanently delete". Then, click on "Delete objects".
- Return to the Object interface page.
- The Object of "Text File1.txt" is back on the bucket.
- Note: We have to delete the deleted version to get the "Text File1.txt" back.
Disable or Suspend Versioning
- Click on "Properties".
- Click on "Edit" for "Bucket Versioning".
- Select: "Suspend". Check the box for "I acknowledge". Then, click on "Save changes".
AWS S3 Basics Project
Task 3: S3 Encryption and Bucket Policy
Key Takeaways
Create a New Bucket for Encryption
- Give the new bucket a unique name
- Scroll down to "Default encryption". Make sure "SSE-S3" is selected. Then, click on "Create bucket". - SSE-S3: Amazon automatically handles key management on our behalf, alleviating any concerns or responsibilities related to key management. - SSE-KMS: Both you and Amazon jointly manage the encryption key, with the keys securely stored within AWS KMS (Amazon Web Services Key Management Service), the designated key management service provided by AWS.
Upload Object to the New Bucket
- Click on the new bucket.- Click on "Upload".
- Click on "Add files". Select "Text File1.txt". Then, click on "Upload".
- Note that we have successfully uploaded the object and the object is encrypted by AWS using S3 managed keys.
Disable the Encryption on the New Bucket
- Navigate to the new bucket interface. Then, click on "Properties".- Scroll down, "click on "Edit" on Default encryption section.
- For Bucket Key, select "Disable". Then, click on "Save changes".
- Note: We have successfully disable the encryption.
Create a Bucket Policy that Enforce the use of S3 Service Side Encryption
- Navigate to the bucket policies by clicking on "Permissions".- Click on "Edit" on Bucket policy.
- Click on "Policy generator".
- New window will open. Put in the following information: - For Seclect Type of Policy: "S3 Bucket Policy". - For Effect: select "Deny". - For Principal: "*". (Apply to all) - AWS Service: "Amazon S3". - For Actions: select "PutObject". - For ARN: - Navigate back to the Edit bucket policy window, copy the Bucket ARN. - Click on "Add Conditions (Optional)". - For Condition: select "StringNotEquals". - For Key: select "s3:x-amz-server-side-encryption". - For value: "aws:kms". - Click on "Add Condition". Then click on "Add Statement".
- Click on "Generate Policy".
- Copy the Policy JSON Document.
- Navigate back to the Edit bucket policy window, paste the Policy JSON Document in the "Policy" section.
- Edit the "Resource" line. - add "/*" at the end of the line, before the "". - Click on "Save changes".
- Note: Successfully edited the bucket policy.
Try Uploading an Unencrypted Object to the New Bucket
- Click on "Object".- Click on "Upload".
- Click on "Add files", select "Text File2.txt".
- Click on expand "Properties". Then scroll down and make sure server-side encryption is "Do not specify an encryption key". - Click on "Upload".
- The object failed to upload.
- Note: it failed because we have enforced encryption on the bucket using bucket policy. Any object that is not encrypted will not be uploaded.
Try Uploading an Encrypted Object to the New Bucket
- Click on "Object".- Click on "Upload".
- Click on "Add files", select "Text File2.txt".
- Click on expand "Properties". Then scroll down and select server-side encryption is "Specify an encryption key". - Select: "Override bucket settings for default encryption". - Select: "SSE-KMS". - Select: "Choose from your AWS KMS keys". - Select: the available KMS key.
- Scroll down, click on upload.
- Successfully uploaded the object.
Task 4: S3 Versioning
Key Takeaways
- Set up S3 bucket with versioning enabled. Then upload versions of the same object in the bucket.Create a New Bucket with Versioning Enable
- Click on "Bucket" on the left side bar. Then click on "Create bucket".- Give the new bucket a unique name
- Scroll down, uncheck the box for "Block all public access". - Check the box for: "I acknowledge".
- Enable Bucket Versioning. Then, click on "Create bucket" at the bottom of the page.
Upload Object into the New Bucket
- Click on the new bucket.- Click on "Upload".
- Click on "Add files". Select "Text File1.txt". Then, click on "Upload".
Access the New Object using Object URL
- Navigate back to the Object interface by clicking on close. - Check the box for "Text File1.txt". - Click on action and select "Make public using ACL".- Click on "Make public".
- Click on "Close" on the top right corner.
- Click on "Text File1.txt".
- Click on the "Object URL".
- Successfully access the object.
Edit Text File1.txt Then Upload it Again and Try to Access Object URL
- Edit Text File1.txt by clicking on the .txt file on your computer. - Write "This is version 2." Then save the .txt file.- Upload the next "Text File1.txt to the new bucket again. - After uploading, navigate to the Object interface by clicking on close. - Click on "Show versions".
- Click on the newer version of "Text File1.txt".
- Click on "Object URL".
- Access Denied.
- Return to the Object interface page. - Click on "Show versions". - Check the box for the newer versions of "Text File1.txt". - Click on "Actions". Then, select "Make public using ACL".
- Click on "Make public".
- Try accessing the "Object URL". And Access Granted.
- Note: We have to make public separately if we make a new versioning.
Deleting an Object
- Return to the Object interface page. - Check the box for "Text File1.txt". - Click "Delete".- Type in: "delete". Then, click on "Delete objects".
- Return to the Object interface page. - Not Object shown in the bucket.
- Click on "Show versions". - Check the box for "Text File1.txt" with the Delete marker. - Click on "Delete".
- Type in: "permanently delete". Then, click on "Delete objects".
- Return to the Object interface page. - The Object of "Text File1.txt" is back on the bucket.
- Note: We have to delete the deleted version to get the "Text File1.txt" back.
Disable or Suspend Versioning
- Click on "Properties".- Click on "Edit" for "Bucket Versioning".
- Select: "Suspend". Check the box for "I acknowledge". Then, click on "Save changes".
- Successfully suspended the bucket versioning.