Encrypt files in S3

Last time I wrote about encrypting EBS boot volumes, this week I will continue with the encryption as the main topic by writing about S3 encryption and since it could not have turned out any other way, we will use again KMS for that.

Files in S3 also can be encrypted by using KMS, providing an extra layer of security.
In the example I will use to explain it, I will use:

  • An EC2 instance
  • An IAM role (I will call it “sync”) attached to the EC2 instance
  • S3 Bucket  (I will call it „encrypted-sync“)
  • Key in KMS

Remember that to use roles for applications that run on Amazon EC2 instances instead of AWS credentials is an AWS best practice.


Use Case

Files in the server will synchronise with S3 every 5 minutes. The files will be encrypted in S3.


Graphical overview



As simple as our scenario: Just a command.

/usr/local/bin/aws s3 --region eu-central-1 sync --sse aws:kms --sse-kms-key-id 611g215z-a7j3-3c6f-g59e-f1e6f53b2et3 /data/ s3://encrypted-sync

Here a small explanation for some parts of the command:

--sse (string) Specifies server-side encryption of the object in S3.

--sse-kms-key-id (string) The AWS KMS key ID that should be used to server-side encrypt the object in S3.

In order that the synchronisation takes place every 5 minutes, you just need to create a cronjob.


Encrypted EBS Boot Volumes

Encryption is an important part of any data protection strategy, and because of that today we are showing how encryption for EBS boot volumes works.

This will aid your security, compliance, and auditing efforts by allowing you to verify that all of the data that you store on EBS is encrypted. Further, because this feature makes use of KMS, you can track and audit all uses of the encryption keys.


Creating an Encrypted EBS Boot Volume

First of all you need to create the key you will use to encrypt the boot volume. This is done in IAM:

IAM Management Console

Note that the key must be created in the same region where you want to encrypt the boot volume.

(mehr …)