Encryption
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
19 hours 19 minutes
Difficulty
Intermediate
CEU/CPE
20
Video Transcription
00:00
>> Hey everybody and welcome back.
00:00
In this lesson, we're going to talk about
00:00
>> S3 Encryption.
00:00
>> The learning objectives are going to be to
00:00
discuss the different encryption methods that we
00:00
have and to discuss
00:00
encryption for S3 in general and just how it works.
00:00
S3 Encryption is what we're using to
00:00
protect our data at rest when
00:00
it sits inside an S3 bucket.
00:00
These are going to apply to the objects, your files,
00:00
your videos, your music files,
00:00
all of that stuff, your logs.
00:00
These are all things that sometimes
00:00
you do want to protect.
00:00
Many cases I've seen logs being protected
00:00
because logs can contain sensitive information.
00:00
We want to make sure that they're being protected
00:00
from eyes that do not need to have access to see them.
00:00
There are four different types of
00:00
encryption methods when it
00:00
comes to protecting our information within S3.
00:00
These options go as follows: We have
00:00
Server-Side Encryption S3 managed,
00:00
which is the first option.
00:00
This is going to be encryption for
00:00
the S3 objects and your keys are going to
00:00
be completely taken care of by Amazon.
00:00
There's no additional cost for this,
00:00
but we're going to go into details on this,
00:00
but you're going to lose
00:00
a little bit of flexibility and control [NOISE]
00:00
on how those keys are actually being
00:00
managed and when they're being rotated and so forth.
00:00
You have Server-Side Encryption-KMS,
00:00
which is the key managed service that
00:00
is going to leverage the AWS Key Management Service.
00:00
You do get more flexibility to manage your keys,
00:00
but you're going to be paying an additional cost there.
00:00
You have Server-Side Encryption Customer
00:00
, so customer side.
00:00
You can manage your own keys.
00:00
You can bring them into the Cloud
00:00
from wherever you may have
00:00
them managed, and you could do it that way.
00:00
Then you also have Client-Side Encryption.
00:00
Let's go ahead and talk a little bit about these options.
00:00
Server-Side Encryption, S3.
00:00
This is the first one. Everything is being managed.
00:00
The encryption is being handled by Amazon.
00:00
You don't have to worry about that. It's going
00:00
to be protecting the objects.
00:00
It's going to be using AES-256 Encryption.
00:00
We're going to be setting
00:00
the header as you can see right there.
00:00
What this does here is this going
00:00
to lock the key on the server.
00:00
That's the object is going to be stored on.
00:00
Now, when it comes to S3,
00:00
just to jog your memory,
00:00
we actually do not handle the infrastructure for S3.
00:00
It's all being handled for us.
00:00
This is a SAS service.
00:00
But again, all the management is being
00:00
handled by Amazon on the back end.
00:00
You don't really have to worry about this at all.
00:00
Let's go ahead and talk about the next option
00:00
here, so KMS.
00:00
KMS is another Amazon service
00:00
that we haven't talked a whole lot about just yet.
00:00
But it does allow us to do the handling of
00:00
keys that we want to introduce into our environment.
00:00
You get to do audits.
00:00
You get to do rotations.
00:00
You have a lot of control over what's going on
00:00
now that the keys are still being provided by KMS,
00:00
but you have a say as to how they're being handled,
00:00
how they're being utilized,
00:00
when they're being rotated,
00:00
when are they being changed?
00:00
All of that stuff. You get
00:00
a lot of more intelligence in this case
00:00
versus the S3 managed by Amazon.
00:00
That method is not
00:00
something that you have a lot of visibility on.
00:00
With KMS, you're going to have
00:00
a lot of visibility on that.
00:00
Now, here we go into the client-side.
00:00
Here we're getting a little bit more flexibility.
00:00
This is not going to store your keys.
00:00
You have to use HTTPS.
00:00
Encryption keys must be added to
00:00
every HTTP header request.
00:00
We're going to see a client must
00:00
encrypt and decrypt data as needed.
00:00
You're going to have to do this a lot more
00:00
manually or automated way to do this.
00:00
Then the client must see
00:00
the Encryption Client library for
00:00
S3 in order to actually leverage the service.
00:00
Well, you're going to get a lot more flexibility,
00:00
a lot of more control, but what comes with that
00:00
is you're going to lose
00:00
the convenience of having these things managed for you.
00:00
Here's an example here.
00:00
We can see HTTPS requests.
00:00
We have our key. We have our file.
00:00
Go ahead and send that into
00:00
our S3 area here or S3 buckets.
00:00
We can see that is going to be encrypted and
00:00
stored into the bucket right there.
00:00
Now, remember, that the key is being
00:00
stored on the server-side as well,
00:00
but you're going to have
00:00
to make sure that the keys that you
00:00
provide work within the confines and
00:00
the requirements for the S3 server,
00:00
which is why we have to follow that policy.
00:00
That summarizes this lecture here on encryption for S3.
00:00
Hope you found this helpful.
00:00
Be sure to review the documentation.
00:00
If you have any questions, you can
00:00
feel free to reach out to me.
00:00
For this exam, I recommend just getting yourself
00:00
familiar with the various methods for encryption.
00:00
There's going to be the ones that we talked about,
00:00
but you may want to brush up
00:00
on your knowledge on them before jumping into the exam.
00:00
Make sure you understand
00:00
the differences and their use cases and so forth.
00:00
Sometimes you're going to have regulatory reasons
00:00
for selecting the option that you chose.
00:00
Always keep that in mind as you're choosing
00:00
your encryption methods for storing your files in S3.
00:00
That wraps up this lesson.
00:00
If you guys have any questions,
00:00
feel free to reach out to me,
00:00
and if not I'll see you in the next lecture.
Up Next
Securing S3 Bucket Access
49m
Module 6 Conclusion
5m
Introduction to Virtual Private Cloud (VPC)
1h 3m
Working with Subnets
36m
Similar Content
