This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.
An S3 Bucket is similar to an NFS share in that it is a mountable storage volume.
By default, objects (files) uploaded to an Amazon Web Services (AWS) S3 Bucket are encrypted using Amazon Web Services (AMS) Key Management Service (KMS) Server Side Encryption (SSE-S3).
The aws s3api list-buckets command can be used to list your S3 buckets.
~]$ aws s3api list-buckets
{
"Buckets": [
{
"Name": "my-bucket-abcdefg",
"CreationDate": "2023-06-02T02:22:19+00:00"
}
],
"Owner": {
"DisplayName": "john.doe",
"ID": "ab0e0a41234567893a77c82240d5abcdc41ff11c123456789c777a5123443743"
}
}
The s3api get-bucket-encryption command can be used to determine if an S3 Bucket has encryption enabled, and if so, to list the encryption algorithm, such as AES256.
~]$ aws s3api get-bucket-location --bucket my-bucket-abcdefg
{
"ServerSideEncryptionConfiguration": {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
},
"BucketKeyEnabled": true
}
]
}
}
On the other hand, if the S3 Bucket Encryption is disabled, then "BucketKeyEnabled": false should be returned.
~]$ aws s3api get-bucket-location --bucket my-bucket-abcdefg
{
"ServerSideEncryptionConfiguration": {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
},
"BucketKeyEnabled": false
}
]
}
}
When you upload a file to an S3 Bucket that has encryption enabled, the content of the file will be hashed, often with MD5. This can be seen with the aws s3api list-objects command, which should contain ETag (entity tag), which may or may not be the MD5 hash.
- Objects created by the PUT Object, POST Object, or Copy operation, or through the AWS Management Console, and are encrypted by SSE-S3 or plaintext, have ETags that are an MD5 digest of their object data.
- Objects created by the PUT Object, POST Object, or Copy operation, or through the AWS Management Console, and are encrypted by SSE-C or SSE-KMS, have ETags that are not an MD5 digest of their object data.
- If an object is created by either the Multipart Upload or Part Copy operation, the ETag is not an MD5 digest, regardless of the method of encryption. If an object is larger than 16 MB, the AWS Management Console will upload or copy that object as a Multipart Upload, and therefore the ETag will not be an MD5 digest.
~]# aws s3api list-objects --bucket my-bucket-abcdefg --query 'Contents[?Key==`foo.txt`]'
[
{
"Key": "foo.txt",
"LastModified": "2023-06-08T01:21:59+00:00",
"ETag": "\"b1946ac9249abdg47c6235b4d1234184\"",
"Size": 6,
"StorageClass": "STANDARD",
"Owner": {
"DisplayName": "john.doe",
"ID": "ab0e0a41e3abcd103a77c8224012343fc41ff11cc325c65b5c7abcgf8e743743"
}
}
]
So, how does decryption work? Let's say you use the aws s3api list-buckets command to list your S3 Buckets as johndoe.
~]$ aws s3api list-buckets --profile johndoe
{
"Buckets": [
{
"Name": "my-bucket-abcdefg",
"CreationDate": "2023-06-02T02:22:19+00:00"
}
],
"Owner": {
"DisplayName": "john.doe",
"ID": "ab0e0a41234567893a77c82240d5abcdc41ff11c123456789c777a5123443743"
}
}
If johndoe caller identity is in the same AWS as the S3 Bucket, then the aws/s3 Key Management Services (KMS) policy includes the kms:Decrypt action to decrypt the object in the S3 Bucket. cool!
{
"Version": "2012-10-17",
"Id": "auto-s3-2",
"Statement": [
{
"Sid": "Allow access through S3 for all principals in the account that are authorized to use S3",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "123456789012",
"kms:ViaService": "s3.us-east-1.amazonaws.com"
}
}
},
{
"Sid": "Allow direct access to key metadata to the account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": [
"kms:Describe*",
"kms:Get*",
"kms:List*"
],
"Resource": "*"
}
]
}
Did you find this article helpful?
If so, consider buying me a coffee over at 