We're ready to help

Our cloud experts can answer your questions and provide a free assessment.

a meeting
S3 Encryption

How to Encrypt Existing Amazon S3 Objects with S3 Encryption

  • 1
  •  0

by Jenelle Kemp, Technical Product Manager, Logicworks

Everyone wants to keep their information safe. How can you make certain that the files you or your company have uploaded to the cloud are protected?

The need for encryption has become foundational as companies move from private data centers to the cloud. It is a requirement for most compliance standards and may provide legal cover if there is a breach in security.

However, many organizations run into trouble when their cloud storage contains a confusing mix of unencrypted and encrypted files – and no idea how they got that way or how to begin fixing the problem. How can you be sure that each of your files is stored in an encrypted format?


S3 Bucket Encryption

What is S3 encryption? The simplest explanation is that it is a method of protecting data at rest. There are other methods of protecting data in transit, but many regulatory agencies require that files in storage (“at rest”) in the cloud are stored in an encrypted format to protect them in case bad actors gain unauthorized access. Even if you are not required by regulations to encrypt your data, taking additional steps to protect it via encryption may provide legal cover if there is a breach in security. By encrypting data you can prove that you took additional steps to protect sensitive data.

The simplest way to encrypt files is to have Amazon Web Services (AWS) do it for you! On Amazon Web Services Simple Storage Service (S3 for short) the files are called objects and the containers they live in are called buckets. When you first set up your S3 buckets you have the option to add encryption to all new objects added to that bucket. This ensures every object is encrypted upon upload to that bucket.

Starting out with an empty bucket with encryption set up from the beginning is the ideal solution – but unfortunately most companies do not experience this situation. The problem is that enabling encryption on a bucket only affects new objects added to it from that point forward. It does not affect any existing objects within that bucket. If you have inherited an existing bucket that did not have automatic encryption set up from the beginning, there is likely a combination of encrypted and unencrypted objects within the that bucket.

Let’s say you started working for your company in January 2019. Your department relies on a heavily used bucket containing hundreds of thousands of objects. Your predecessor enabled default encryption on this bucket at some point in 2018 but the bucket itself was in use for many years before then. When your predecessor enabled default encryption they assumed it would encrypt any objects already there – however you know differently because you read this blog post! You also know that some of the pre-2018 data was already encrypted before upload, so you can’t assume that everything before that date is unencrypted. Now an audit is looming and the CTO is asking for proof that all files in this bucket are encrypted. What can you do?


Step 1: Identify objects missing encryption

The first step to protecting those unencrypted files is to find them. You can use Amazon’s S3 Inventory to generate a list of objects missing encryption.

Note before beginning: Amazon S3 metadata only considers AES-256 and AWS-KMS as encryption methods. If your organization uses a different type of encryption this method will not work.

  1. Use S3 Inventory to obtain a list of objects in the target bucket. There are a few methods of doing this, so review the S3 Inventory documentation to see which works best for your environment.
  2. When your list is generated, search for the Encryption Status metadata field. There are a few options for status, but the one we are interested in is NOT-SSE.
  3. Filter out all objects except for those containing the NOT-SSE flag.
  4. The resulting list contains all objects without encryption in the target bucket.

Another option for identifying unencrypted objects is to use Logicworks’ Data Loss Prevention, which provides a set of tools that will identify and send notifications about S3 objects that are unencrypted in your AWS account.


Step 2: Add encryption to existing S3 objects

Once you know which objects in the bucket are unencrypted use one of the following methods for adding encryption to existing S3 objects.

Option 1

Small numbers of objects or single files may be encrypted one at a time in the Amazon S3 console.

  1. Sign into the AWS Management Console.
  2. Navigate to the S3 console and find the bucket and object that was flagged as unencrypted.
  3. Select the object and choose Properties then Encryption.
  4. Use the wizard to choose the S3 encryption options you prefer.
  5. Save to apply encryption to the object.

Note: An in-depth explanation of single file encryption may be found on the AWS documentation.

Option 2

Following the single-file procedure for many hundreds or thousands of unencrypted objects can be overwhelming, so we recommend a different strategy to encrypt multiple objects. Encrypting multiple objects can create an enormous amount of costly logging, so temporarily disabling logging is a good idea before beginning this process.

  1. Disable S3 access logging (if enabled)
    • Navigate to the bucket containing multiple unencrypted objects and select Properties then Server Access Logging
    • Choose Disable logging
  2. Identify the bucket containing multiple unencrypted objects and set up default encryption in the bucket policy.
  3. Once the bucket has default encryption enabled, any new objects entering the bucket will be encrypted. In order to encrypt the existing objects you will need them to be considered “new” to the bucket. You can accomplish this in one of two ways:
    • Move unencrypted objects to a temporary bucket and then move objects from temporary bucket back to original bucket.
    • Use the AWS command line interface to do a recursive copy of all objects within a S3 bucket. Warning: Object metadata may be lost using the AWS copy command, consult AWS CLI documentation for more information.

Once this process is complete you may re-enable logging on these buckets.

Option 3

The experts at Logicworks created a Data Loss Prevention service to make this process much more simple and easy to accomplish. We can help you:

  1. Discover any unencrypted objects
  2. Automatically notify you when any new unencrypted objects appear
  3. Search for objects containing any sensitive information (including addresses, social security numbers, or other personally identifying information)
  4. …All without giving more work to your in-house team

Although this process may be cumbersome, S3 encryption is a great way to protect confidential information. By taking steps to evaluate and encrypt all files you can ensure that your stored data meets encryption compliance. If you have any questions about our data loss prevention options or S3 data encryption, please learn more about Logicworks Data Loss Prevention or contact us and we would love to discuss your options!


New call-to-action

1 Comment

  • Glenn Morgan
    April 22, 2019

    Great Article, question, if one is sending sensitive data to S3 via a secure tunnel, is it ever decrypted before moving to S3? Looking for best practices of protecting data in transit going into S3 encryption.

Leave A Comment