1
00:00:00,110 --> 00:00:01,750
Okay. So now let's talk about

2
00:00:01,750 --> 00:00:04,860
Amazon S3 Encryption for your objects.

3
00:00:04,860 --> 00:00:08,390
The idea is that you upload objects onto Amazon S3

4
00:00:08,390 --> 00:00:10,733
and these are servers of AWS

5
00:00:11,600 --> 00:00:13,760
and so you may want to make sure that

6
00:00:13,760 --> 00:00:15,880
these objects are not accessible

7
00:00:15,880 --> 00:00:19,500
for example, if someone gets into the Amazon servers

8
00:00:19,500 --> 00:00:21,520
or you wanna make sure you get adhere

9
00:00:21,520 --> 00:00:24,670
to some security standards set up by your company.

10
00:00:24,670 --> 00:00:28,860
So as such, Amazon gives you four methods to encrypt objects

11
00:00:28,860 --> 00:00:30,520
in Amazon S3.

12
00:00:30,520 --> 00:00:32,900
The first one is called SSE S3.

13
00:00:32,900 --> 00:00:34,600
This is to encrypt S3 objects,

14
00:00:34,600 --> 00:00:37,417
using keys handled and managed by AWS.

15
00:00:38,260 --> 00:00:40,540
The second one is SSE-KMS

16
00:00:40,540 --> 00:00:43,160
to leverage AWS key management service

17
00:00:43,160 --> 00:00:45,010
to manage your encryption keys.

18
00:00:45,010 --> 00:00:46,960
The third one is SSE-C,

19
00:00:46,960 --> 00:00:49,150
when you manage your own encryption keys

20
00:00:49,150 --> 00:00:51,840
and finally client-side encryption.

21
00:00:51,840 --> 00:00:53,770
Now we're going to do a deep dive on all of those

22
00:00:53,770 --> 00:00:54,603
so don't worry.

23
00:00:54,603 --> 00:00:57,560
And it's important to understand which ones are adapted

24
00:00:57,560 --> 00:00:59,550
to which situation for the exam

25
00:00:59,550 --> 00:01:02,270
because the exam will definitely ask you questions

26
00:01:02,270 --> 00:01:04,420
to choose the right level of encryption

27
00:01:04,420 --> 00:01:06,070
based on the scenario.

28
00:01:06,070 --> 00:01:09,760
So let's do a deep dive first on SSE-S three.

29
00:01:09,760 --> 00:01:12,020
This is an encryption where the keys

30
00:01:12,020 --> 00:01:14,880
used to encrypt the data are handled

31
00:01:14,880 --> 00:01:17,530
and managed by Amazon S3.

32
00:01:17,530 --> 00:01:20,260
The object is going to be encrypted server side.

33
00:01:20,260 --> 00:01:23,460
SSE means server-side encryption.

34
00:01:23,460 --> 00:01:27,890
And it's the type of encryption is AES-256,

35
00:01:27,890 --> 00:01:29,340
which is in logarithm.

36
00:01:29,340 --> 00:01:31,400
So for this to upload an object

37
00:01:31,400 --> 00:01:34,360
and sets the SSE S3 encryption

38
00:01:34,360 --> 00:01:38,660
you must set a header called X-amz-server-side-encryption

39
00:01:38,660 --> 00:01:41,650
AES-256. X-amz stands for

40
00:01:41,650 --> 00:01:42,730
X Amazon.

41
00:01:42,730 --> 00:01:46,237
So X Amazon, a server-side encryption AES-256.

42
00:01:46,237 --> 00:01:49,690
And this is how you remember the name of the header.

43
00:01:49,690 --> 00:01:50,860
So let's have a look.

44
00:01:50,860 --> 00:01:52,880
We have an object and it is un-encrypted.

45
00:01:52,880 --> 00:01:54,330
We have it written out

46
00:01:54,330 --> 00:01:56,780
and we want to upload it into Amazon history

47
00:01:56,780 --> 00:01:59,670
and perform some SSE-S3 encryption.

48
00:01:59,670 --> 00:02:00,570
So for this

49
00:02:00,570 --> 00:02:04,500
we're going to upload the objects onto Amazon S3.

50
00:02:04,500 --> 00:02:08,250
You can use the HTTP protocol or the HTTPS protocol

51
00:02:08,250 --> 00:02:10,520
and you can add the editor that we said

52
00:02:10,520 --> 00:02:13,690
the X-amz-server-side-encryption AES256.

53
00:02:13,690 --> 00:02:15,040
And then Amazon S3

54
00:02:15,040 --> 00:02:18,710
thanks to this header knows that it should apply its own

55
00:02:18,710 --> 00:02:20,610
S3 managed data key

56
00:02:20,610 --> 00:02:24,420
and using the S3 Managed Key and the object,

57
00:02:24,420 --> 00:02:25,850
some encryption will happen

58
00:02:25,850 --> 00:02:28,670
and the object will be stored encrypted

59
00:02:28,670 --> 00:02:30,830
into your Amazon S3 buckets.

60
00:02:30,830 --> 00:02:33,560
Very simple, but here in this instance

61
00:02:33,560 --> 00:02:36,210
the data key is entirely owned

62
00:02:36,210 --> 00:02:37,460
and managed by Amazon S3.

63
00:02:38,420 --> 00:02:40,330
Next SSE-KMS.

64
00:02:40,330 --> 00:02:41,970
So we haven't seen what KMS is right now.

65
00:02:41,970 --> 00:02:44,170
We'll see us pretty much towards the end of this course

66
00:02:44,170 --> 00:02:45,350
on the security side.

67
00:02:45,350 --> 00:02:47,520
But KMS is key management service

68
00:02:47,520 --> 00:02:50,090
which is an encryption service for you.

69
00:02:50,090 --> 00:02:54,120
So SSE-KMS is when you have your encryption keys

70
00:02:54,120 --> 00:02:57,530
that are handled and managed by the KMS service

71
00:02:57,530 --> 00:03:00,260
why will you use KMS over SSEs free?

72
00:03:00,260 --> 00:03:02,060
Well, it gives you control over

73
00:03:02,060 --> 00:03:03,840
who has access to what keys

74
00:03:03,840 --> 00:03:06,110
and also gives you an audit trail.

75
00:03:06,110 --> 00:03:09,520
Each object is going to be again, encrypted server side

76
00:03:09,520 --> 00:03:12,540
and for this to work, we must set the header

77
00:03:12,540 --> 00:03:16,303
X Amazon service side encryption to be a value AWS KMS.

78
00:03:18,090 --> 00:03:19,660
So the idea is exactly the same

79
00:03:19,660 --> 00:03:21,710
because it is server-side encryption.

80
00:03:21,710 --> 00:03:26,370
We have the object we uploaded using HTTP and N the header

81
00:03:26,370 --> 00:03:28,390
and then using this header.

82
00:03:28,390 --> 00:03:32,130
Amazon S3 knows to apply the KMS customer master key

83
00:03:32,130 --> 00:03:34,390
you have defined on top of it

84
00:03:34,390 --> 00:03:36,530
and using this customer master key.

85
00:03:36,530 --> 00:03:39,430
So the key of defined and your object

86
00:03:39,430 --> 00:03:41,140
there's some encryption that will happen

87
00:03:41,140 --> 00:03:42,800
and the file will be stored

88
00:03:42,800 --> 00:03:46,743
in your S3 buckets under the SSE-KMS encryption scheme.

89
00:03:48,000 --> 00:03:50,230
Next, we have SSE-C

90
00:03:50,230 --> 00:03:52,330
that stands for server-side encryption

91
00:03:52,330 --> 00:03:57,007
using the keys that you provide yourself outside of AWS.

92
00:03:58,070 --> 00:04:00,150
So in this case, Amazon S3

93
00:04:00,150 --> 00:04:02,660
does not store the encryption key you provide

94
00:04:02,660 --> 00:04:04,530
so it will have absolutely have to use it

95
00:04:04,530 --> 00:04:06,100
because it needs to do encryption

96
00:04:06,100 --> 00:04:08,400
for then that key will be discarded

97
00:04:08,400 --> 00:04:11,160
for this to transmit the data into AWS,

98
00:04:11,160 --> 00:04:13,240
you must use HTTPS

99
00:04:13,240 --> 00:04:16,350
because you're going to send a secret to AWS

100
00:04:16,350 --> 00:04:19,420
and so you must have encryption in transit.

101
00:04:19,420 --> 00:04:22,820
Encryption key must be provided in the HTTP headers

102
00:04:22,820 --> 00:04:24,370
for every HTTP request made

103
00:04:24,370 --> 00:04:26,810
because it's going to be discarded every single time.

104
00:04:26,810 --> 00:04:28,600
So we have the object

105
00:04:28,600 --> 00:04:31,150
and we want to have it encrypted in Amazon S3

106
00:04:31,150 --> 00:04:33,280
but we want to provide ourselves

107
00:04:33,280 --> 00:04:34,890
the client side data key

108
00:04:34,890 --> 00:04:36,500
to perform the encryption.

109
00:04:36,500 --> 00:04:39,970
So we send both of these things over HTTPS

110
00:04:39,970 --> 00:04:41,920
so it's an encrypted connection between you,

111
00:04:41,920 --> 00:04:43,970
the clients and Amazon S3

112
00:04:43,970 --> 00:04:45,840
and the data key is in the header

113
00:04:45,840 --> 00:04:49,590
so therefore Amazon S3 received the exact same object

114
00:04:49,590 --> 00:04:51,680
and the client provided data key.

115
00:04:51,680 --> 00:04:54,040
And then again, it is server-side encryption

116
00:04:54,040 --> 00:04:56,110
so Amazon S3 will perform at the incorporeal

117
00:04:56,110 --> 00:04:57,310
using these two things

118
00:04:57,310 --> 00:05:01,700
and store the encrypted object into your S3 buckets.

119
00:05:01,700 --> 00:05:03,580
If you wanted retrieve that file

120
00:05:03,580 --> 00:05:05,810
from Amazon S3 using SSE-C

121
00:05:05,810 --> 00:05:07,840
you would need to provide as well

122
00:05:07,840 --> 00:05:10,260
the same at clients' side data key that was used

123
00:05:10,260 --> 00:05:12,860
so it requires a lot more management on your end

124
00:05:12,860 --> 00:05:16,920
because you manage to do the data keys and Amazon

125
00:05:16,920 --> 00:05:18,520
or AWS in general does not know

126
00:05:18,520 --> 00:05:20,580
which data keys you have used.

127
00:05:20,580 --> 00:05:22,360
So it's a bit more involved.

128
00:05:22,360 --> 00:05:25,820
Okay. And then finally Clients Side Encryption.

129
00:05:25,820 --> 00:05:29,350
So it is when the clients, so you encrypt the object

130
00:05:29,350 --> 00:05:32,060
before uploading it into Amazon S3.

131
00:05:32,060 --> 00:05:34,160
Some client libraries can help you do this

132
00:05:34,160 --> 00:05:36,690
for example, the Amazon S3 encryption clients

133
00:05:36,690 --> 00:05:39,970
is a way to perform that Client Side Encryption

134
00:05:39,970 --> 00:05:42,170
and as I said, clients must encrypt data

135
00:05:42,170 --> 00:05:43,560
before sending it to S3.

136
00:05:43,560 --> 00:05:45,540
And then in case you receive

137
00:05:45,540 --> 00:05:48,050
data that is encrypted using client side encryption,

138
00:05:48,050 --> 00:05:49,650
also C S E

139
00:05:49,650 --> 00:05:52,330
then you are solely responsible

140
00:05:52,330 --> 00:05:54,330
for decrypting the data yourself as well

141
00:05:54,330 --> 00:05:57,300
so you need to make sure you have the right key available.

142
00:05:57,300 --> 00:05:59,310
So, as I said, in Client Side Encryption

143
00:05:59,310 --> 00:06:01,170
the customer manages entirely

144
00:06:02,310 --> 00:06:05,260
the keys and the encryption cycle.

145
00:06:05,260 --> 00:06:07,080
So let's have an example.

146
00:06:07,080 --> 00:06:09,930
Amazon S3 this time is just the buckets

147
00:06:09,930 --> 00:06:11,560
where it's not doing any encryption for us

148
00:06:11,560 --> 00:06:13,250
because it is Client-Side Encryption

149
00:06:13,250 --> 00:06:14,830
not Server Side encryption.

150
00:06:14,830 --> 00:06:19,600
And so in the clients we'll use Encryption SDK

151
00:06:19,600 --> 00:06:22,010
for example, the S3 Encryption SDK

152
00:06:22,010 --> 00:06:23,350
will provide the object

153
00:06:23,350 --> 00:06:25,430
and our client's side data key.

154
00:06:25,430 --> 00:06:27,300
The encryption will happen client side

155
00:06:27,300 --> 00:06:29,670
so the object is going to be fully encrypted

156
00:06:29,670 --> 00:06:30,770
on the client side

157
00:06:30,770 --> 00:06:33,410
and then we are going to just upload

158
00:06:33,410 --> 00:06:37,310
that already encrypted object into Amazon S3.

159
00:06:37,310 --> 00:06:39,530
Okay. So that's the four types of encryptions

160
00:06:39,530 --> 00:06:40,370
hopefully that makes sense.

161
00:06:40,370 --> 00:06:41,570
And I've been mentioning

162
00:06:41,570 --> 00:06:43,270
encryption in transit in this lecture,

163
00:06:43,270 --> 00:06:45,010
and I'll make it very clear what it is.

164
00:06:45,010 --> 00:06:47,710
That's around SSL and TLS connections

165
00:06:47,710 --> 00:06:50,290
so Amazon S3 is initiative the service

166
00:06:50,290 --> 00:06:54,280
and it exposes HTTP endpoint that is not encrypted

167
00:06:54,280 --> 00:06:56,950
and it exposes HTTPS end point

168
00:06:56,950 --> 00:06:58,630
which is encrypted and provide what's called

169
00:06:58,630 --> 00:07:00,610
encryption in flight

170
00:07:00,610 --> 00:07:04,800
which relies on SSL and TLS certificates.

171
00:07:04,800 --> 00:07:06,500
So you're free to use the end points you want

172
00:07:06,500 --> 00:07:08,290
but if you use the console, for example

173
00:07:08,290 --> 00:07:11,440
you would be using HTTPS and most clients would

174
00:07:11,440 --> 00:07:14,020
by the way use HTTPS endpoint by default

175
00:07:14,020 --> 00:07:16,490
and so if you're using HTTPS,

176
00:07:16,490 --> 00:07:19,290
that means that there is data transfer between your clients

177
00:07:19,290 --> 00:07:21,940
and Amazon S3 is going to be fully encrypted

178
00:07:21,940 --> 00:07:24,500
and that's, what's called encryption in transit.

179
00:07:24,500 --> 00:07:26,110
And one thing to know is that

180
00:07:26,110 --> 00:07:29,570
in case you're using SSE-C so server-side encryption

181
00:07:29,570 --> 00:07:32,530
and the key is provided by your clients

182
00:07:32,530 --> 00:07:35,163
then HTTPS is mandatory.

183
00:07:38,655 --> 00:07:41,080
Encryption in flight is also called SSL TLS

184
00:07:41,080 --> 00:07:44,260
because it uses SSL and TLS certificates.

185
00:07:44,260 --> 00:07:46,230
So that let's go into the hands-on

186
00:07:46,230 --> 00:07:47,830
to see how encryption works now.