S3 Object encryption

Question

S3 Object encryption

Closed this issue 4 years ago · 10 comments

Great library!

I noticed the messages stored in S3 do not have encryption turned on. For the best HIPAA compliance, I think they should be? If this is useful, I could work on it; we'd need to add to the API the ability to set the S3 region.

Shadlington commented 6 years ago

+1

Answer 1 · 2016-07-12T10:44:00.000Z

does it only support client side encryption? how can we enable the sever side encryption on S3 with this library?

Answer 2 · 2017-02-10T19:22:46.000Z

Hi,

Thanks for opening this issue about encryption. Here is a blog post which shows a way of enabling client-side encryption for the message payload:

https://aws.amazon.com/blogs/developer/encrypting-message-payloads-using-the-amazon-sqs-extended-client-and-the-amazon-s3-encryption-client/

At the moment, server-side encryption is not supported by this library. We will be happy to see pull requests for enhancing encryption features.

Answer 3 · 2017-06-21T18:50:20.000Z

Hi,

Any plans to include server-side encryption in this library's feature set in the future? It's a blocker for some who use exclusively SSE on their S3 buckets.

Answer 4 · 2017-06-21T19:41:02.000Z

Do you need SSE for HIPAA compliance? If it helps, AWS just released that SQS is now HIPAA compliant: https://aws.amazon.com/about-aws/whats-new/2017/05/amazon-simple-queue-service-sqs-is-now-a-hipaa-eligible-service/

Answer 5 · 2017-06-27T19:16:20.000Z

There are multiple compliance factors at work here. The (real) scenario is that company X has a requirement to encrypt all S3 objects. Usually they use SSE for this. They enforce this using a bucket policy in S3 requiring server-side encryption. This doesn't work for client-side encryption because S3 has no way of knowing whether the data was encrypted prior to receiving it. It only works for SSE because a header is passed (x-amz-server-side-encryption) telling S3 to encrypt it. They want to use SQS to handle larger payloads and this library seems the only option.

Any plans to expand this library to allow SSE?

Answer 6 · 2017-06-27T19:34:58.000Z

It shouldn't be too hard to modify this library yourself - I've since left the project where we were working with this code, but I hacked the lib to do SSE (also hacked in our own amazon helper functions, so can't paste code easily here). Glancing through the codebase:
AmazonSQSExtendedClient.java -> storeTextInS3 -> ObjectMetadata variable is the only thing that needs to be modified for encryption. Also I remember needing to set the region for the amazon client so that it is able to do encryption; not sure where that goes. But I think that's about it...

Answer 7 · 2017-09-20T21:43:54.000Z

Submitted a PR for this: #23

Answer 8 · 2017-11-07T16:29:19.000Z

Just announced today, you can now configure default encryption on an S3 bucket directly: https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/, to ensure any puts to S3 will land encrypted even if the client doesn't specify encryption parameters.

Answer 9 · 2020-07-29T23:20:25.000Z

Hi! Version 1.1.0 now uses the Payload Offloading Java Common Library For AWS (https://github.com/awslabs/payload-offloading-java-common-lib-for-aws) which allows to configure S3 Server Side Encryption with KMS.

Will be closing this issue for now.