Use case:
I want to encrypt the data in transit from s3 as well. Encryption at Rest is already present and handled by S3 encryption key.
My Findings:
I found few articles where is it sates modifying the bucket policy with "aws: SecureTransport" condition.
here is sample bucket policy:
"Version": "2012-10-17",
"Statement": [
"Effect":
"Principal":
"Action":
"Resource": "arn: aws: s3::: example-bucket/**,
"Condition":
I
"Bool":
{
"aws: SecureTransport":
"false"
My concern:
By doing this how the decryption at the receiver end happens? how it needs to be handled?
Assuming a application is accessing the S3 data for some reports.
Could any one help me with this?
CodePudding user response:
Encryption in transit refers to using HTTPS protocol to upload your objects to S3. S3 supports both HTTP (unencrypted) and HTTPS (encrypted) endpoints. Just like with any other website that uses HTTPS, you don't have to do anything. All encryption/decryption is done automatically through HTTPS.
However, since S3 supports HTTP, it may be a security risk to upload objects through HTTP, as objects travel the Internet in a plain-text form. Thus, you can enforce HTTPS for your bucket by setting up the following S3 bucket policy:
CodePudding user response:
Typically, you don't need to do anything with the bucket. Encryption in transit depends on the settings of your, well, in transit methods. So, when you say application is accessing the S3 data - it's not enough. For example, CLI and API encrypt the data out of the box.
If you have a static website, then you can't set it up as HTTPS (that is, with encryption) - only HTTP. (this statement is not 100% correct; but consider it good enough for now). So, if you want to have a static website, then you can front it with CloudFront and have it run over HTTPS.