Starting today, Amazon S3 encrypts new objects by default
In an effort to increase security measures, tech giant Amazon has announced that Amazon S3 encrypts new objects by default. Also known as Amazon Simple Storage Service, it will automatically apply server-side encryption (SSE-S3).
“Amazon S3 server-side encryption handles all encryption, decryption, and key management in a totally transparent fashion,” stated Jeff Bezos. “When you put an object, we generate a unique key, encrypt your data with the key, and then encrypt the key with a [root] key.”
To clarify, Amazon S3 encrypts new objects with a unique key, and then encrypts the key itself. Previously, customers were required to manually turn on the SSE-S3 function, but now it’s automatic. As of January 5, the update to automatically encrypt is live and at no additional cost to customers for all AWS regions including AWS GovCloud and AWS China.
According to Amazon, the encryption status of the 280 trillion existing objects (approximately) will not change.
In the announcement, AWS Senior Developer Advocate Sébastien Stormacq wrote that “the opt-in nature of SSE-S3 meant that you had to be certain that it was always configured on new buckets and verify that it remained configured properly over time. For organizations that require all their objects to remain encrypted at rest with SSE-S3, this update helps meet their encryption compliance requirements without any additional tools or client configuration changes.”
For more advanced users who want more control on the encryption process, the Amazon Simple Storage Service offers customer-provided encryption keys (SSE-C), AWS Key Management Service keys (SSE-KMS), and client-side encryption via a library (Amazon S3 encryption client) as a means to protect user data.