I wanted to understand the encryption methoads of snowflake. I specific I have 2 questions:
- Does snowflake encrypts data before writing to the S3 bucket ? Or it just relies on the encryption of the S3 bucket by AWS.
- The hierarchy of keys used in Snowflake encryption, how does that help protect against a rouge AWS person who doesn't have access the customers KMS,
CodePudding user response:
Please see below my response
- Does snowflake encrypts data before writing to the S3 bucket ? Or it just relies on the encryption of the S3 bucket by AWS.
Ans: Yes, Snowflake encrypts the data at the client side and then sends over to cloud storage, if you are using an internal stage. Internal stages are managed by Snowflake. If you are using an external stage, it is your responsibility to encrypt the file before loading into the external stage. But once snowflake loads the data from external stage to a snowflake table, it is automatically encrypted by Snowflake
- The hierarchy of keys used in Snowflake encryption, how does that help protect against a rouge AWS person who doesn't have access the customers KMS,
Ans: I did not understand this question. But I think you may need to read about Tri-Secret secure and customer managed keys
CodePudding user response:
With customer-managed keys, the AMK is composed of two keys: AMK-S and AMK-C. AMK-S is a random 256-bit key that is wrapped with the root key stored in HSM. AMK-C is a second random 256-bit key that is wrapped with the customer key stored in KMS. AMK-S and AMK-C are completely random and unrelated. Both wrapped keys are stored in Snowflake’s encryption key hierarchy. And this prevents rogue access of customer data if one of the keys is not matching or available. I would suggest reviewing the following links for a much more in-depth understanding of this concept:
https://www.snowflake.com/blog/customer-managed-keys/
https://docs.snowflake.com/en/user-guide/security-encryption.html
CodePudding user response:
Snowflake supports either client-side encryption or server-side encryption. Either can be configured to decrypt files staged in S3 buckets
client-side encryption, Snowflake supports using a master key stored in Snowflake; using a master key stored in AWS Key Management Service (AWS KMS) is not supported.
Server-side encryption:
AWS_SSE_S3: Requires no additional encryption settings.
AWS_SSE_KMS: Accepts an optional KMS_KEY_ID value.
More Details: https://docs.snowflake.com/en/user-guide/data-load-s3-encrypt.html#aws-data-file-encryption
On Tri-Secret Secure Question: more detailed answer: Tri-Secret benefits