Using Encryption to Protect Sensitive Data in Amazon S3
SPL-DD-200-STS3P3-10-EN - Version 1.0.0
© 2021 Amazon Web Services, Inc. and its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. All trademarks are the property of their owners.
Corrections, feedback, or other questions? Contact us at AWS Training and Certification.
Data protection refers to protecting data while in-transit as it travels to and from Amazon Simple Storage Service (Amazon S3) and at rest while it is stored on disks in Amazon S3 data centers. You can protect data in transit using Secure Socket Layer (SSL), Transport Layer Security (TLS), or client-side encryption. You have the following options for protecting data at rest in Amazon S3:
Server-Side Encryption is when you request Amazon S3 to encrypt your objects before saving it on disks in its data centers and then decrypt it when you download the objects.
Client-Side encryption is when you encrypt data on the client-side (locally) and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.
For more information about server-side encryption, refer to Protecting data using server-side encryption in the Additional resources section.
For more information about client-side encryption, refer to Protecting data using client-side encryption in the Additional resources section.
In this lab, you use S3 bucket policies to enforce encryption in transit and at rest. You configure S3 default bucket encryption and explore how its functionality differs from encryption requirements using an S3 bucket policy.
By the end of this lab, you will be able to:
- Explain the types of S3 server-side encryption and the differences between them.
- Implement default encryption on an Amazon S3 bucket.
- Define encryption in transit and at rest requirements using S3 bucket policies.
Technical Knowledge Prerequisites
To successfully complete this lab, you should be familiar with basic navigation of the AWS Management Console and be comfortable editing scripts using a text editor.
Various icons are used throughout this lab to call attention to certain aspects of the guide. The following list explains the purpose for each one:
- The keyboard icon specifies that you must run a command.
- The clipboard icon indicates that you can verify the output of a command or edited file by comparing it to the provided example.
- The note icon specifies important hints, tips, guidance, or advice.
- Calls attention to information of special interest or importance. Failure to read the note does not result in physical harm to the equipment or data, but could result in the need to repeat certain steps.
- The "i" circle icon specifies where to find more information.
- The person with a check mark icon indicates an opportunity to check your knowledge and test what you have learned.
- Suggests a moment to pause to consider how you might apply a concept in your own environment or to initiate a conversation about the topic at hand.
Your company, AnyCompany Medical Imaging, uses Amazon S3 buckets to store a variety of medical information, such as dental records, prescription information, and X-rays. Compliance requirements dictate that data stored in a particular bucket needs to be encrypted in transit using SSL/TLS and at rest using Amazon S3-Managed Keys (SSE-S3) encryption. You have decided to explore S3 default bucket encryption and bucket policies to determine which approach best meets the requirements.
- At the top of your screen, launch your lab by choosing
This starts the process of provisioning your lab resources. An estimated amount of time to provision your lab resources is displayed. You must wait for your resources to be provisioned before continuing.
If you are prompted for a token, use the one distributed to you (or credits you have purchased).
- Open your lab by choosing
This automatically logs you in to the AWS Management Console.
Do not change the Region unless instructed.
Common Login Errors
Error: Federated login credentials
If you see this message:
- Close the browser tab to return to your initial lab window
- Wait a few seconds
- Choose again
You should now be able to access the AWS Management Console.
Error: You must first log out
If you see the message, You must first log out before logging into a different AWS account:
- Choose click here
- Close your browser tab to return to your initial lab window
- Choose again
Join Qwiklabs to read the rest of this lab...and more!
- Get temporary access to the Amazon Web Services Console.
- Over 200 labs from beginner to advanced levels.
- Bite-sized so you can learn at your own pace.