1
00:00:00,210 --> 00:00:01,500
‫Hi, and welcome to this lecture.

2
00:00:01,500 --> 00:00:03,690
‫We're going to have a look at encryption options

3
00:00:03,690 --> 00:00:05,160
‫for our S3 buckets.

4
00:00:05,160 --> 00:00:09,150
‫So I'll call this one demo-stephane-bucket-encryption.

5
00:00:09,150 --> 00:00:11,340
‫And then I will scroll down

6
00:00:11,340 --> 00:00:13,500
‫and I will make sure to enable versioning,

7
00:00:13,500 --> 00:00:14,820
‫just to show you what it means

8
00:00:14,820 --> 00:00:16,800
‫with versioning and encryption.

9
00:00:16,800 --> 00:00:17,970
‫And now we scroll down

10
00:00:17,970 --> 00:00:21,180
‫and we look at the default encryption options.

11
00:00:21,180 --> 00:00:23,280
‫So as we can see, we have,

12
00:00:23,280 --> 00:00:27,030
‫we must specify a default encryption for our buckets.

13
00:00:27,030 --> 00:00:30,330
‫So it's either SSE-S3 or SSE-KMS,

14
00:00:30,330 --> 00:00:33,810
‫so that means that any object uploaded into my S3 bucket

15
00:00:33,810 --> 00:00:35,280
‫is going to be encrypted.

16
00:00:35,280 --> 00:00:37,050
‫There is no way around it.

17
00:00:37,050 --> 00:00:39,210
‫Now we're going to choose SSE-S3,

18
00:00:39,210 --> 00:00:42,270
‫and we'll have a look at the SSE-KMS type of encryption

19
00:00:42,270 --> 00:00:44,220
‫later on in this lecture.

20
00:00:44,220 --> 00:00:47,040
‫So let's go ahead and create this bucket.

21
00:00:47,040 --> 00:00:51,120
‫And because I have specified a default encryption mechanism

22
00:00:51,120 --> 00:00:53,190
‫we should, when we upload an object,

23
00:00:53,190 --> 00:00:55,170
‫figure out that yes indeed it's been uploaded

24
00:00:55,170 --> 00:00:57,240
‫with the right encryption mechanism.

25
00:00:57,240 --> 00:01:00,933
‫So let's take a coffee.jpg file, we're going to upload it.

26
00:01:01,890 --> 00:01:02,790
‫Close this.

27
00:01:02,790 --> 00:01:05,700
‫And if I go into my coffee.jpg,

28
00:01:05,700 --> 00:01:08,730
‫scroll down under server-side encryption settings,

29
00:01:08,730 --> 00:01:10,560
‫I can see that it is encrypted

30
00:01:10,560 --> 00:01:13,533
‫with Amazon S3-manage-keys SSE-S3.

31
00:01:14,580 --> 00:01:16,170
‫So that makes sense, right?

32
00:01:16,170 --> 00:01:18,810
‫And I can go ahead and edit this.

33
00:01:18,810 --> 00:01:22,500
‫And actually when you edit the encryption of an object,

34
00:01:22,500 --> 00:01:25,740
‫as you can see this will create a new version of the object.

35
00:01:25,740 --> 00:01:28,530
‫This is why I enabled the versioning of the bucket,

36
00:01:28,530 --> 00:01:29,610
‫so you can see,

37
00:01:29,610 --> 00:01:31,680
‫and you'll have an updated settings.

38
00:01:31,680 --> 00:01:32,760
‫So let's have a look.

39
00:01:32,760 --> 00:01:35,520
‫So we're going to have server-side encryption

40
00:01:35,520 --> 00:01:37,830
‫And do we want to use the bucket settings for default?

41
00:01:37,830 --> 00:01:39,990
‫No, because we want to do something else.

42
00:01:39,990 --> 00:01:42,150
‫So we want to override the bucket settings

43
00:01:42,150 --> 00:01:46,860
‫for default encryption, and I will choose SSE-KMS.

44
00:01:46,860 --> 00:01:51,120
‫So now when we have SSE-KMS, we need to enter a KMS key.

45
00:01:51,120 --> 00:01:53,790
‫So either we go with the ARN, the Amazon resource name,

46
00:01:53,790 --> 00:01:56,490
‫or we choose it from an available key.

47
00:01:56,490 --> 00:01:58,380
‫So here I have two keys,

48
00:01:58,380 --> 00:02:00,690
‫one I created before, but you don't have it right now.

49
00:02:00,690 --> 00:02:03,600
‫You should have only the aws/s3.

50
00:02:03,600 --> 00:02:04,920
‫So I want to show you,

51
00:02:04,920 --> 00:02:07,590
‫because this creating your own key is a paid feature,

52
00:02:07,590 --> 00:02:09,960
‫so using the one from AWS is not paid.

53
00:02:09,960 --> 00:02:13,980
‫So this key, the aws/s3 key,

54
00:02:13,980 --> 00:02:17,010
‫is the default KMS key for your S3 bucket

55
00:02:17,010 --> 00:02:19,740
‫and you can use it without any cost.

56
00:02:19,740 --> 00:02:22,050
‫But if you wanted to create your own KMS key,

57
00:02:22,050 --> 00:02:24,330
‫you can create it and also assign it

58
00:02:24,330 --> 00:02:27,120
‫as the KMS key to encrypt your object with.

59
00:02:27,120 --> 00:02:31,980
‫But let's go ahead and use the aws/s3 key together,

60
00:02:31,980 --> 00:02:34,293
‫and then click on save changes.

61
00:02:35,430 --> 00:02:37,770
‫Close this, and now if I go into versions,

62
00:02:37,770 --> 00:02:40,890
‫I can see I have two versions of my objects.

63
00:02:40,890 --> 00:02:42,930
‫And if we look at this current version right here

64
00:02:42,930 --> 00:02:45,480
‫that I just created, scroll down,

65
00:02:45,480 --> 00:02:49,710
‫we can see indeed that this is encrypted with SSE-KMS,

66
00:02:49,710 --> 00:02:53,760
‫and we have the encryption key ARN right here.

67
00:02:53,760 --> 00:02:56,610
‫Okay, this is exactly the same process

68
00:02:56,610 --> 00:02:58,470
‫as uploading an object.

69
00:02:58,470 --> 00:03:03,090
‫So you add a file, and again beach.jpg for example,

70
00:03:03,090 --> 00:03:05,910
‫and under properties, you scroll down,

71
00:03:05,910 --> 00:03:09,120
‫and you can actually specify an encryption key.

72
00:03:09,120 --> 00:03:13,110
‫So you can override what the default is for your bucket.

73
00:03:13,110 --> 00:03:15,120
‫And so again, we can use the default encryption

74
00:03:15,120 --> 00:03:19,830
‫or we can override it with choosing SSE-KMS.

75
00:03:19,830 --> 00:03:21,480
‫So we've seen this.

76
00:03:21,480 --> 00:03:23,880
‫Now what about the default encryption mechanism?

77
00:03:23,880 --> 00:03:25,110
‫So where is it handled?

78
00:03:25,110 --> 00:03:27,930
‫Well, if you go under properties

79
00:03:27,930 --> 00:03:30,570
‫and you go for default encryption,

80
00:03:30,570 --> 00:03:35,190
‫you have here the option to choose SSE-S3 or SSE-KMS.

81
00:03:35,190 --> 00:03:36,990
‫And regarding this bucket key option,

82
00:03:36,990 --> 00:03:41,990
‫is just to lower the SSE-KMS key costs if you want to,

83
00:03:42,030 --> 00:03:44,133
‫if you have a high usage of your bucket.

84
00:03:45,090 --> 00:03:47,880
‫Now there are two things we don't see in here.

85
00:03:47,880 --> 00:03:50,730
‫The first one is around SSE-C.

86
00:03:50,730 --> 00:03:54,810
‫So SSE-C is when you provide your own key outside of AWS,

87
00:03:54,810 --> 00:03:58,200
‫and this option is not supported by the console,

88
00:03:58,200 --> 00:03:59,100
‫as you can see.

89
00:03:59,100 --> 00:04:04,100
‫It is only supported if you use the CLI or the SDK of AWS.

90
00:04:04,680 --> 00:04:07,380
‫Now the last option of encryption I've shown you

91
00:04:07,380 --> 00:04:10,890
‫is around client-side encryption,

92
00:04:10,890 --> 00:04:15,420
‫and client-side encryption is not a server-side encryption

93
00:04:15,420 --> 00:04:17,310
‫so there's no option in the console to do it.

94
00:04:17,310 --> 00:04:18,916
‫What you have to do

95
00:04:18,916 --> 00:04:21,120
‫is to encrypt the object while client side,

96
00:04:21,120 --> 00:04:22,350
‫and then you will yourself

97
00:04:22,350 --> 00:04:25,530
‫upload the encrypted object in AWS

98
00:04:25,530 --> 00:04:27,210
‫and decrypt it again client-side,

99
00:04:27,210 --> 00:04:29,550
‫so you don't need to indicate to AWS

100
00:04:29,550 --> 00:04:31,950
‫that you have encrypted your object on your own.

101
00:04:31,950 --> 00:04:34,290
‫And that's it, we've seen all the options

102
00:04:34,290 --> 00:04:36,480
‫for encryption in AWS.

103
00:04:36,480 --> 00:04:39,513
‫I hope you liked it and I will see you in the next lecture.