Starting January 5th, Amazon S3 will encrypt all new objects with AES-256 by default to protect your data at rest. S3 automatically applies server-side encryption using Amazon S3-managed keys for each new object unless a different encryption option is specified.
Cloud providers claim this change enables security best practices without impacting performance. S3 buckets that don’t use default encryption will now apply his SSE-S3 as default setting. Server-side encryption using customer-provided keys (SSE-C) and server-side encryption using AWS Key Management Service (SSE-KMS) are unaffected by the change.
Since 2017, S3’s default encryption feature has been an optional setting available to apply encryption to all uploaded objects. From now on, S3 will automatically apply his SSE-S3 to all buckets without customer configured encryption settings. Sébastien Stormacq, Principal Developer Advocate at AWS, explains why this change is important:
It was easy to enable, but due to the opt-in nature of SSE-S3, I had to make sure it was always configured in new buckets and that it was properly configured over time . For organizations that require all objects to remain SSE-S3 encrypted at rest, this update helps meet encryption compliance requirements without additional tools or client configuration changes can do.
The new object upload encryption status and S3 default encryption settings are available in CloudTrail logs, giving you the option to verify that all new data uploaded to S3 is encrypted. To explain the change, AWS published a Default Encryption FAQ, clarifying that S3 only encrypts uploads of new objects. To encrypt existing objects, the cloud provider suggests using his S3 Batch Operations. No changes are required to access objects, but encryption can no longer be disabled for new uploads, and client-side encrypted objects add an extra layer of encryption. Angelica Phaneuf, his CISO at Army Software Factory, wrote:
This is a great release from AWS that advances the security posture of everyone using the cloud.
LIFARS Penetration Tester Segev Eliezer commented:
Now you should configure IMDSv2 by default on your EC2 instance and update GuardDuty’s IAM findings.
security blogger mellow root considers disk encryption on AWS to be of little use and potentially harmful, claiming it is security theater.
We recommend spending time on IAM permissions, backups, disaster recovery, appsec, or pretty much anything else before disk encryption.
Corey Quinn, chief cloud economist at The Duckbill Group, wrote:
This is a clear benefit for customers. Personally, I think her idea of encrypting objects in S3 at rest is more of a checkbox requirement, nothing more, but that box is checked by default. If so, I’m not complaining.
The S3 changes apply to all AWS Regions and there are no costs associated with using server-side encryption with SSE-S3.