New data stored in Amazon S3 is now encrypted by default. This is a change that aligns the largest hyperscalers with competitor policy.
S3, an object storage service, uses Amazon server-side encryption called SSE-S3. It encrypts each object with a unique key and encrypts the key itself. Previously, the customer had to manually turn on her SSE-S3. Now it’s automatic. The change to encrypt by default will be available to customers at no additional cost and will be available in all his AWS regions, including AWS GovCloud and his AWS China, starting January 5, according to an AWS blog post. will be
The encryption status of approximately 280 trillion existing objects will remain unchanged, according to the cloud provider.
By standardizing encryption on S3, AWS caught up with Microsoft Azure and Google Cloud Platform. They defaulted to encryption at rest for several years. Small private cloud services such as Oracle Cloud Infrastructure also offer encryption at rest by default.
According to Dave Raffo, Senior Analyst at Evaluator Group, the change to S3 is a positive move to protect customer data. Customers expect data encryption by default, which has become an unofficial industry standard, and can be mistaken for S3 offering this same service.
“The big change is that everything we send to S3 is encrypted,” Raffo said. “You don’t need to upgrade to get the benefits. Users expect and want it. Security is a hot topic these days.”
underlock and key
Object encryption in S3 is not a new feature and has been available to AWS customers since 2011. SSE-S3 makes data stored in storage systems generally unreadable and unusable by humans unless transformed with a cryptographic key. Encryption of object data and management of keys to access that data are under the control of AWS.
When using SSE-S3, you have additional encryption options including customer-provided encryption keys and using keys through AWS Key Management Service.
“We heard early on [that] Kevin Miller, vice president and general manager of Amazon S3, said most objects created with the service typically make use of encryption capabilities.
But making encryption at rest the default required additional testing to ensure that the change didn’t break existing applications, Miller said.
“Making changes like this makes us very nervous that all our customer applications are working fine,” he said. “I’ve never changed bucket defaults. This is the first time I’ve done this.”
ounce of prevention
According to Marc Staimer, president of Dragon Slayer Consulting, AWS’s move to encryption by default may have been dictated by advances in global data protection laws and policies.
He added that while encryption can protect data, it is not in itself a comprehensive security strategy. Encrypted data is typically unencrypted when used by an application. This means that your data is still vulnerable to exposure if someone obtains your access credentials through programs such as keyloggers or social engineering efforts.
“Most access is through applications rather than directly to storage,” says Staimer. “Every time you come up with a good defense, the bad guys find a way around it.”
AWS messaging over the past few years has been to ensure that customers understand not only how AWS protects their data, but also how the hyperscaler shared responsibility model for security requires active customer intervention. I have focused on doing. This includes changes to S3 bucket security scheduled for April 2023.
These changes change two default settings for newly created S3 buckets, blocking all public access and locking object ownership to the bucket owner by disabling access control lists by default. increase. To change any of these settings from the new defaults, you must edit the specific parameters.
In the announcement blog, AWS said that both changes are already default settings and considered security best practices when using the AWS console to create an S3 bucket.
It’s not the last time AWS can take a more pragmatic approach to bolstering data security. Miller said hyperscalers continue to explore ways to protect customer data and implement default settings to encourage better practices.
“We plan to change the defaults so that we can increase security out of the box,” he said.
Tim McCarthy is a journalist living on the North Shore, Massachusetts. He deals with news of the cloud and his storage of data.