search

aldy120 / s3-note

Note for Amazon S3
0 stars 0 forks source link

Default Encryption #35

Open aldy120 opened 1 year ago

aldy120 commented 1 year ago

不改變 reqeust 定義的 encryption 。

Default bucket encryption also doesn't override the encryption settings specified in the upload of a new object. For example, if you specify AES256 encryption in your PutObject request to a bucket with default SSE-KMS encryption, then the object maintains AES256 encryption (SSE-S3).

https://repost.aws/knowledge-center/s3-aws-kms-default-encryption

aldy120 commented 1 year ago

可以用指令 aws s3api head-object --bucket --key 來看加密 object 加密的資訊。包括有沒有使用 bucket key 。

x-amz-server-side-encryption The server-side encryption algorithm used when storing this object in Amazon S3 (for example, AES256, aws:kms).

Valid Values: AES256 | aws:kms

x-amz-server-side-encryption-aws-kms-key-id If present, specifies the ID of the AWS Key Management Service (AWS KMS) symmetric encryption customer managed key that was used for the object.

x-amz-server-side-encryption-bucket-key-enabled Indicates whether the object uses an S3 Bucket Key for server-side encryption with AWS KMS (SSE-KMS).

x-amz-server-side-encryption-customer-algorithm If server-side encryption with a customer-provided encryption key was requested, the response will include this header confirming the encryption algorithm used.

x-amz-server-side-encryption-customer-key-MD5 If server-side encryption with a customer-provided encryption key was requested, the response will include this header to provide round-trip message integrity verification of the customer-provided encryption key.

aldy120 commented 1 year ago

完全沒加密 aws s3api head-object --bucket dub-bucket-20201110 --key test.txt { "AcceptRanges": "bytes", "LastModified": "2022-10-09T16:30:53+00:00", "ContentLength": 7296, "ETag": "\"7c9c53784254d2d01f838ad6861eadb0\"", "ContentType": "text/plain", "Metadata": {} }

aldy120 commented 1 year ago

Bucket 啟用 default encryption 之後。設定為 custom KMS key ,並開啟 bucket key 。

先上傳一下,上傳時不帶 encryption 資訊。發現預設的 kms key 有被加上,也有被標記為使用了 bucket key 。

aws s3 cp test.txt s3://dub-bucket-20201110/default-encryption.txt
aws s3api head-object --bucket dub-bucket-20201110 --key default-encryption.txt
{
    "AcceptRanges": "bytes",
    "LastModified": "2023-03-08T19:36:15+00:00",
    "ContentLength": 4,
    "ETag": "\"c2513c5ec29f3262b18335986f43eaac\"",
    "ContentType": "text/plain",
    "ServerSideEncryption": "aws:kms",
    "Metadata": {},
    "SSEKMSKeyId": "arn:aws:kms:eu-west-1:325227931631:key/453aadee-bd33-4e8b-a5a6-e260771dff84",
    "BucketKeyEnabled": true
}

指定 custom bucket key 也會一樣結果。

aws s3 cp test.txt s3://dub-bucket-20201110/kms-encryption.txt --sse aws:kms --sse-kms-key-id 453aadee-bd33-4e8b-a5a6-e260771dff84
aws s3api head-object --bucket dub-bucket-20201110 --key kms-encryption.txt
{
    "AcceptRanges": "bytes",
    "LastModified": "2023-03-08T19:38:13+00:00",
    "ContentLength": 4,
    "ETag": "\"1622a6b1c7f2526428217b3e945c32b0\"",
    "ContentType": "text/plain",
    "ServerSideEncryption": "aws:kms",
    "Metadata": {},
    "SSEKMSKeyId": "arn:aws:kms:eu-west-1:325227931631:key/453aadee-bd33-4e8b-a5a6-e260771dff84",
    "BucketKeyEnabled": true
}

使用 kms aws/s3 也會有 bucket key 。

aws s3 cp test.txt s3://dub-bucket-20201110/kmss3-encryption.txt --sse aws:kms --sse-kms-key-id 2a52dcea-d58d-4f48-9d6a-409673b8b838
aws s3api head-object --bucket dub-bucket-20201110 --key kmss3-encryption.txt
{
    "AcceptRanges": "bytes",
    "LastModified": "2023-03-08T19:43:45+00:00",
    "ContentLength": 4,
    "ETag": "\"80c15f200227592b882853936107e25a\"",
    "ContentType": "text/plain",
    "ServerSideEncryption": "aws:kms",
    "Metadata": {},
    "SSEKMSKeyId": "arn:aws:kms:eu-west-1:325227931631:key/2a52dcea-d58d-4f48-9d6a-409673b8b838",
    "BucketKeyEnabled": true
}
aldy120 commented 1 year ago

disable bucket key 之後。

aws s3 cp test.txt s3://dub-bucket-20201110/kms-encryption-without-bucket-key.txt --sse aws:kms --sse-kms-key-id 453aadee-bd33-4e8b-a5a6-e260771dff84
aws s3api head-object --bucket dub-bucket-20201110 --key kms-encryption-without-bucket-key.txt
{
    "AcceptRanges": "bytes",
    "LastModified": "2023-03-08T19:56:58+00:00",
    "ContentLength": 4,
    "ETag": "\"68ed90dab16b334128f7b9aee57f4ed7\"",
    "ContentType": "text/plain",
    "ServerSideEncryption": "aws:kms",
    "Metadata": {},
    "SSEKMSKeyId": "arn:aws:kms:eu-west-1:325227931631:key/453aadee-bd33-4e8b-a5a6-e260771dff84"
}