Encrypting S3 Buckets and EBS Volumes Using KMS

Learn how to secure EBS volumes and S3 using AWS Key Management System.

We'll cover the following

EBS volume encryption
- How does EBS volume encryption works?
S3 data encryption
- How does S3 data encryption with KMS work?

In this lesson, we'll explore the encryption mechanisms for two prevalent AWS resources—S3 buckets and EBS volumes—secured using AWS KMS.

EBS volume encryption

The data stored on an EBS volume can be accessed by attaching the EBS volume with an EC2 instance and then reading the stored data using that instance. Note that, an EBS volume can be attached with multiple EC2 instances at the same time. So, if our EBS volume is unencrypted, anyone who gets access to our EBS volume can attach the volume with an EC2 instance and read the stored data.

Note: When we launch an EC2 instance, a root EBS volume is automatically created and connected to it. By default, this volume is not encrypted.

How does EBS volume encryption works?

To start off the encryption, we have to create a KMS key. After that, we specify that key as the encryption key for the EBS volume. KMS key, however, doesn’t directly encrypt the EBS volume. When we create an encrypted EBS volume, KMS generates a data key using the KMS key for encryption. An encrypted version of that data key is then stored within the metadata of the EBS volume.

Now, when an EBS volume is attached to an EC2 instance, AWS first checks if the principal attaching this volume to the EC2 instance has access to the specified KMS key. If yes, the EBS volume is attached; otherwise, this attachment fails. After the volume has been attached, the EC2 instance fetches the encrypted data key from the volume’s metadata, requests KMS to decrypt the key, and then uses the decrypted key to encrypt the data before storing it on the EBS volume.

Press + to interact

The decrypted encryption key is deleted after the data has been stored or retrieved.

S3 data encryption

Amazon S3 allows users to encrypt their data using AWS Key Management Service (KMS) to manage encryption keys. This way, we can ensure that data uploaded to Amazon S3 is encrypted using AWS KMS, providing an additional layer of security for our sensitive data.

S3 data encryption is of the following types:

Client-side encryption: In this type of encryption, data is encrypted by the user locally and then transmitted to be stored in the S3 bucket. This secures the data both in transition and at rest.
Server-side encryption: In this type of encryption, S3 encrypts our data at the object level when it’s being stored in the bucket. This secures the data in the rest state. When a read request is made, S3 decrypts the data and provides the user with the decrypted data. Server-side encryptions are of further four types:
- Encryption using S3 managed keys: The keys used for encryption are created and managed by S3. This is the default encryption method used by S3.
- Encryption using KMS keys: The keys used for encryption are provided by KMS. These keys can be both AWS-managed or customer-managed KMS keys. Users have more control over these keys as compared to the S3 managed keys.
- Encryption using customer-provided keys: The keys are provided and managed by the user. The user is responsible for ensuring the security and availability of these keys.
- Dual-layer encryption using KMS keys: The keys are provided by KMS. This encryption provides a dual layer of encryption by using different encryption algorithms for each layer. It can be considered the most secure of these encryptions.

How does S3 data encryption with KMS work?

The process of encrypting and decrypting data for S3 buckets using KMS follows a consistent approach across all relevant encryption types. We'll just look at how dual-layer server-side encryption works.

When a KMS key is specified as the encryption key for an S3 bucket, a data key is generated using that KMS key. This encrypted version of this data key is stored as the metadata of the S3 bucket.

When an object is uploaded to the bucket:

S3 requests the KMS to decrypt the encrypted data key.
KMS decrypts that key and sends the plaintext key to S3.
S3 uses multiple encryption algorithms to encrypt the input object twice and stores the encrypted object in the bucket.
S3 deletes the plaintext key, so in case of unauthorized access, this key is not compromised, and the unauthorized user is not able to decrypt the data.

Press + to interact

Get hands-on with 1300+ tech skills courses.

Introduction

AWS Fundamentals

Understanding Cloud Computing Essentials— From Zero to Hero

Identity and Access Management

Securing AWS Resources: Managing Access with IAM

AWS IAM Permission Boundaries

Using AWS IAM Access Analyzer

Compute Services

Understanding AWS Compute Services — From Zero to Hero

Amazon EC2: Elastic Compute Cloud

Working with Instances: An Amazon EC2 Walkthrough

Managing Instance Volumes Using EBS

Networking

Understanding Networking Services in AWS—From Zero to Hero

Controlling VPC Traffic Using Network ACLs

Managing Peer Connections between Amazon Virtual Private Clouds

Accessing AWS Services over AWS PrivateLink Using VPC Endpoints

Monitoring IP Traffic Using VPC Flow Logs

Route 53

Serverless Computing

Getting to Know AWS Lambda

Building and Deploying Serverless Applications with AWS SAM

Developing RESTful Microservices with API Gateway and DynamoDB

Building a WebSocket-Based Chat Application Using API Gateway

Mastering AWS AppSync Lambda Resolvers

Application Integration

Getting Started with Amazon Simple Queue Service (SQS)

Handling Amazon SNS Notifications with AWS Lambda

Build a Fanout Serverless Architecture using SNS, SQS, and Lambda

Decoupling Serverless Applications with Amazon EventBridge

Getting Started with AWS Step Functions

Containers

Getting Started with Amazon ECS

Create an EKS Cluster and Deploy an Application

High Availability and Scalability

Managing Application Traffic Using Elastic Load Balancers

Understanding Auto Scaling Group (ASG) in AWS

Mastering Amazon EC2 Dynamic Scaling Policies

Storage

Understanding AWS Storage Options—From Zero to Hero

Simple Storage Service (S3)

Working with AWS S3 Cross-Region Replication

Resizing Images with S3 Batch Operations and AWS Lambda

Managing Data Access with Amazon S3 Access Points

File Storage and Transfer

Getting Started with Amazon FSx for Windows File Server

Databases

Working with Relational Databases: A Beginner's Guide to AWS RDS

Getting Started with Amazon Aurora Database Engine

Working with NoSQL Databases: A Beginner's Guide to AWS DynamoDB

Exploring Graphs with Amazon Neptune

Getting Started with Amazon Keyspaces

Achieving Ultra-Fast Performance Using Amazon MemoryDB for Redis

Improving Database Performance with Amazon ElastiCache for Redis

Migration and Transfer

Use of AWS Database Migration Service from Aurora MySQL to S3

Security and Compliance

Getting Started with AWS Key Management Service (KMS)

Encrypting S3 Buckets and EBS Volumes Using KMS

Protecting Web Applications Using AWS WAF

Managing Aurora DB Credentials and API Keys Using Secrets Manager

Finding Vulnerabilities on EC2 Instances Using AWS Inspector

Deployment Services

Mastering AWS Deployment Services—From Zero to Hero

CloudFormation

Getting to Know AWS CloudFormation

AWS CloudFormation Updates: Change Sets and Stack Policies

Mastering AWS CloudFormation Helper Scripts

Machine Learning

Understanding Machine Learning Services on AWS—From Zero to Hero

Deploying a Machine Learning Model with Amazon SageMaker

Getting Started with Amazon Fraud Detector

Build an Educative Chatbot with Conversational AI Using AWS Lex

Content Delivery and Optimization

Analytics

Analyzing S3 Data and CloudTrail Logs Using Amazon Athena

Getting Started with Amazon EMR

Getting Started with Amazon Redshift

Building ETL Pipelines on AWS

Create a Data Lake with Lake Formation and Analyze It with Athena