ajkerrigan
commented
7 years ago This is a related discussion from #questions today:
ahmed [9:11 AM] I think I already know the answer to this question but need confirmation. With SSE-S3 since Amazon is managing the encryption technically if I’m using SSE-S3 for both buckets I can decrypt the contents of both with a regular IAM user that has access to the buckets since it’s just AES256, right?
jose [9:14 AM] Yup should be transparent, as long as the user has permission to the bucket S3 will handle the decryption.
ahmed [9:15 AM] Thought so. If I want to manage the decryption access then I need SSE-KMS
jose [9:16 AM] Well not really, you'll want Client-Side encryption for that SSE-KMS is just telling S3 which keys to use to encrypt it, but access is the same since it's still server side
[9:17]
Really this is just in case someone steals an entire data center worth of drives and your info is on it
[9:18]
Client Side encryption would store the file as unreadable to even S3, the client would encode and decode
ahmed [9:19 AM] Okay hang on a sec. CloudTrail uses SSE-KMS though and you need to grant decryptKey to the IAM user to access the objects. http://docs.aws.amazon.com/kms/latest/developerguide/services-cloudtrail.html http://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail-decrypt.html docs.aws.amazon.com How AWS CloudTrail Uses AWS KMS - AWS Key Management Service Learn how AWS CloudTrail uses AWS KMS to encrypt log files. docs.aws.amazon.com Granting decrypt permissions - AWS CloudTrail Grant other users permissions to decrypt logs with a CMK.
[9:19]
So CloudTrail is doing object encryption on top of SSE-KMS? (edited)
jose [9:21 AM] CMK
[9:21]
http://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
docs.aws.amazon.com
Protecting Data Using Server-Side Encryption - Amazon Simple Storage Service
How to protect data using Server-Side Encryption in Amazon S3.
[9:21]
3 Options
ahmed [9:21 AM] Right
[9:22]
Okay so I think I got a better understanding of that
[9:22]
SSE-KMS is just nice for compliance reasons otherwise SSE-S3 is the way to go because replication is available (edited)
jose [9:24 AM] :+1: (edited)
[9:25]
In this case (s3) KMS is pretty easy and transparent.
[9:26]
EBS and other services that are a bit more involved.
mcohen [1:11 PM] So, when using SSE-KMS is the "audit trail” simply Cloudtrail, or is there an additional level of reporting only available by/within KMS ?
SSE-KMS also provides you with an audit trail of when your key was used and by whom
mcohen [1:16 PM] Wonder if they’ll implement SSE-KMS encrypted replication for S3 objects at some point ?
"Amazon S3 does not keep the encryption keys you provide after the object is created in the source bucket so it cannot decrypt the object for replication, and therefore it does not replicate the object."
[1:16]
...perhaps its the additional KMS “envelope” key that impedes the decryption ?
ajkerrigan [1:19 PM] Not sure about the replication question, but the audit trail comes from CloudTrail
[1:19]
Good reference on that with examples for various KMS events: http://docs.aws.amazon.com/kms/latest/developerguide/logging-using-cloudtrail.html
docs.aws.amazon.com
Logging AWS KMS API Calls Using AWS CloudTrail - AWS Key Management Service
Learn how to audit AWS Key Management Service (AWS KMS) customer-managed keys by using AWS CloudTrail.
[1:20]
It’s the CloudTrail log format you know and love, just with info relevant to KMS for requestParameters/resources
mcohen [1:26 PM] Thanks for the clarity @ajkerrigan. Those docs state “"your log files are encrypted by using Amazon S3 server-side encryption (SSE)”, so this further identifies SSE-KMS encrypted objects arent supported for replication.
[1:27]
maybe someday, as unless using SSE-C, KMS already has the keys
[1:28]
Certainly a bit of a caveat (must use SSE-S3 if/when encrypting), that should be front and center for those requiring replication.
bgdnlp [3:15 PM] SSE-KMS is not only for audit. With SSE-KMS you have two points of access control. One is access to the bucket and the objects in it. The other is access to the key to decrypt the data. It's a subtle difference, but it's important. It basically means that you can have different objects stored with different keys in the same bucket and people would only be able to access the ones that they have the keys to. Also, with SSE-S3, someone getting access to your bucket will automatically have access to the data, because it gets automatically decrypted. With SSE-KMS, they would also need access to the key.
[3:16]
so, for example, SSE-KMS would guard against badly configured access to a bucket (making it public by mistake) simply because it's harder to badly configure two things
[3:18]
or, you can have a bucket that must only be accessible through an instance for example. the associated role has access to the key, but only that role. even if someone gives access to users to the bucket, they still can't get the data
[3:19]
things like that
ahmed [3:20 PM] @bgdnlp I was looking at the documentation today and cloudtrail does in flight encryption of log files before they’re stored in the S3 bucket that also has SSE enabled. With regular s3 SSE-KMS/C/S3 just controls how (how the key is managed) the objects are encrypted on the bucket. The objects themselves are not encrypted so a person just needs standard S3 access to pull the files. (edited)
bgdnlp [3:21 PM] I don't understand
ahmed [3:22 PM] Sorry, lemme see if I can rephrase that to make more sense
[3:22]
CloudTrail has Encryption as an option, it encrypts objects so an IAM user accessing the bucket also needs access to the decryptKey to retrieve the objects. It also uses SSE-KMS for server side encryption
[3:23]
Then there’s a regular S3 bucket and you enable SSE-KMS (or SSE-S3/C, doesn’t matter). That’s just how it’s encrypted on the hardware to protect against data theft in the warehouse
[3:23]
You’re not actually encrypting the objects, just the storage layer underneath is encrypted so giving access to a IAM user doesn’t require access to the CMK (edited)
bgdnlp [3:24 PM] you mean, when you enable SSE-KMS on a bucket, the objects are not encrypted?
[3:25]
Can you give me a link to the docs? There's a misunderstanding here and I'm not sure on which side, probably mine
ahmed [3:25 PM] S3 manages the encryption/decryption so it’s completely transparent to the user. That’s how I understood it at least (edited)
bgdnlp [3:25 PM] because, you don't enable SSE encryption on a bucket. you ask for encryption for each object in part
[3:26]
yes
ahmed [3:26 PM] http://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html docs.aws.amazon.com How Amazon Simple Storage Service (Amazon S3) Uses AWS KMS - AWS Key Management Service Discusses how Amazon S3 uses AWS KMS to encrypt data.
[3:26]
http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
docs.aws.amazon.com
Protecting Data Using Server-Side Encryption with AWS KMS–Managed Keys (SSE-KMS) - Amazon Simple Storage Service
Use server-side encryption so that Amazon S3 manages encryption and decryption for you.
[3:26]
That’s what I was looking at earlier
[3:27]
So, key policy gives s3 service access for SSE-KMS I think. I didn’t find anything stating the client needs access to the CMK (edited)
bgdnlp [3:28 PM] yes, so, let me see if I understand the confusion. for SSE-S3, you set a policy on the bucket that requires the HTTP header asking for the object to be encrypted to be set for each object
[3:28]
if you try to upload an object and it doesn't have that header set, the upload will be denied
[3:29]
if you upload the object WITH the header set, S3 will receive the object, will encrypt it, then it will store it encrypted in the bucket
[3:29]
for SSE-S3, S3 chooses the encryption key. you have no control, you don't have a say in it, because if you chose SSE-S3, you don't care
[3:30]
for SSE-KMS on the other hand, you set two headers. one asking for SSE-KMS encryption and one specifying the key
[3:30]
basically the same process, with the addition of S3 checking that you also have access to the key, then using that specific key to encrypt it
[3:32]
with SSE-C, you require encryption and you pass on the key yourself. S3 encrypts the object, then discards the key, it's your problem
[3:33]
basically, when you set the bucket policies, you only say that upload will be denied unless encryption is set. You can use encryption without the bucket policies, but then it's optional
[3:33]
is that what wasn't clear, or did I totally misunderstand?
ahmed [3:33 PM] So this is the part I haven’t gotten a clear answer on: https://og-aws.slack.com/archives/questions/p1487104255002002 bgdnlp basically the same process, with the addition of S3 checking that you also have access to the key, then using that specific key to encrypt it Posted in #questionsToday at 3:30 PM
[3:34]
Does the user or bucket need access to the key (edited)
[3:34]
Since S3 is handling the encryption and not the user (edited)
bgdnlp [3:34 PM] the user. Amazon have access to those keys. With SSE-S3 and SSE-KMS, Amazon can read your data
[3:35]
in theory. I mean, there's a process and controls in place, but they have access to the key and they can read your data
[3:35]
you trust them that they won't
[3:35]
S3 has access and S3 will check that the user has access before encrypting/decrypting
ahmed [3:36 PM] Well that’s where the key policy comes in as with CMK iam policy doesn’t give access until the key policy allows it. I think I’ll just need to test this out tomorrow and see what happens
bgdnlp [3:37 PM] but that's what I said
[3:37]
or, what I meant
ahmed [3:38 PM] Right so if S3 is handling it then it needs to request an encryption key from KMS to encrypt stuff with and I don’t think it will do masquerading to use the IAM users session
[3:38]
I may be talking in circles right now so please tell me if I’m frustrating you
bgdnlp [3:40 PM] I don't know how they do it exactly. I don't think it's masquerading as the user either, as far as I understand S3 basically asks KMS "this guy here asks for this particular key to enctypt data with" and KMS simply says "yeah, he's good, here's the key" or "I don't know who the guy is"
[3:40]
I think
[3:41]
but, does it matter if S3 says "Hi, I'm Guy" or "Hi, I'm talking for Guy"?
[3:42]
(also, S3 doesn't get the CMK, it gets a "data key", encrypted with the CMK. no one gets to see the CMK)
ahmed [3:42 PM] Kinda sorta but not really
[3:42]
Yeah data key (sorry, it’s getting late and I’ve been researching encryption in aws all day)
[3:43]
I’ve been building requirements and that nuance tells me how the key policy should be setup
bgdnlp [3:44 PM] do you mean, if in the key policy you should give access to the user or to S3 service?
ahmed [3:45 PM] Yeah
[3:45]
Or something else
bgdnlp [3:45 PM] oh. user.
[3:45]
but... but... I'm not sure how you give access to a service
[3:45]
easy test though
[3:46]
I mean, I'm talking about keys that you create in KMS for users
ahmed [3:48 PM]
kms:ViaService condition
[3:49]
Okay so I guess by double checking that detail I finally answered my question.
http://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service
docs.aws.amazon.com
Using Policy Conditions with AWS KMS - AWS Key Management Service
Use AWS Key Management Service (AWS KMS) condition keys (context keys) in a permissions policy.
[3:49]
You give a user access to the CMK but that KMS condition is applied so they can only use it with the S3 service
[3:50]
And then a IAM Policy condition can be further used to only permit usage with a specific bucket
bgdnlp
Ashex
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
Deserves a basic explanation and a link also to (no expanding) KMS section.