Key management Archives

AWS Announces New S3 Cloud Storage Security Encryption Features

server storage I/O data infrastructure trends

Updated 1/17/2018

Amazon Web Services (AWS) recently announced new Simple Storage Service (S3) e.g. AWS S3 encryption and security enhancements including Default Encryption, Permission Checks, Cross-Region Replication ACL Overwrite, Cross-Region Replication with KMS and Detailed Inventory Report. Another recent announcement by AWS is for PrivateLinks endpoints within a Virtual Private Cloud (VPC).

AWS Dashboard
AWS Service Dashboard

Default Encryption

Extending previous security features, now you can mandate all objects stored in a given S3 bucket be encrypted without specifying a bucket policy that rejects non-encrypted objects. There are three server-side encryption (SSE) options for S3 objects including keys managed by S3, AWS KMS and SSE Customer ( SSE-C) managed keys. These options provide more flexibility as well as control for different environments along with increased granularity. Note that encryption can be forced on all objects in a bucket by specifying a bucket encryption configuration. When an unencrypted object is stored in an encrypted bucket, it will inherit the same encryption as the bucket, or, alternately specified by a PUT required.

AWS S3 Bucket Encryption
AWS S3 Buckets

Permission Checks

There is now an indicator on the S3 console dashboard prominently indicating which S3 buckets are publicly accessible. In the above image, some of my AWS S3 buckets are shown including one that is public facing. Note in the image above how there is a notion next to buckets that are open to public.

Cross-Region Replication ACL Overwrite and KMS

AWS Key Management Service (KMS) keys can be used for encrypting objects. Building on previous cross-region replication capabilities, now when you replicate objects across AWS accounts, a new ACL providing full access to the destination account can be specified.

Detailed Inventory Report

The S3 Inventory report ( which can also be encrypted) now includes the encryption status of each object.

PrivateLink for AWS Services

PrivateLinks enable AWS customers to access services from a VPC without using a public IP as well as traffic not having to go across the internet (e.g. keeps traffic within the AWS network. PrivateLink endpoints appear in Elastic Network Interface (ENI) with private IPs in your VPC and are highly available, resiliency and scalable. Besides scaling and resiliency, PrivateLink eliminates the need for white listing of public IPs as well as managing internet gateway, NAT and firewall proxies to connect to AWS services (Elastic Cloud Compute (EC2), Elastic Load Balancer (ELB), Kinesis Streams, Service Catalog, EC2 Systems Manager). Learn more about AWS PrivateLink for services here including VPC Endpoint Pricing here.

Where To Learn More

Learn more about related technology, trends, tools, techniques, and tips with the following links.

What This All Means

Common cloud concern considerations include privacy and security. AWS S3 among other industry cloud service and storage providers have had their share of not so pleasant news coverage involving security.

Keep in mind that data protection including security is a shared responsibility (and only you can prevent data loss). This means that the vendor or service provider has to take care of their responsibility making sure their solutions have proper data protection and security features by default, as well as extensions, and making those capabilities known to consumers.

The other part of shared responsibility is that consumers and users of cloud services need to know what the capabilities are, defaults and options as well as when to use various approaches. Ultimately it is up to the user of a cloud service to implement best practices to leverage cloud as well as their own on-premises technologies so that they can support data infrastructure that in turn protect, preserve, secure and serve information (along with their applications and data).

These are good enhancements by AWS to make their S3 cloud storage security encryption features available as well as provide options and awareness for users on how to use those capabilities.

Ok, nuff said, for now.

Greg Schulz – Microsoft MVP Cloud and Data Center Management, VMware vExpert 2010-2017 (vSAN and vCloud). Author of Software Defined Data Infrastructure Essentials (CRC Press), as well as Cloud and Virtual Data Storage Networking (CRC Press), The Green and Virtual Data Center (CRC Press), Resilient Storage Networks (Elsevier) and twitter @storageio. Courteous comments are welcome for consideration. First published on https://storageioblog.com any reproduction in whole, in part, with changes to content, without source attribution under title or without permission is forbidden.

All Comments, (C) and (TM) belong to their owners/posters, Other content (C) Copyright 2006-2024 Server StorageIO and UnlimitedIO. All Rights Reserved. StorageIO is a registered Trade Mark (TM) of Server StorageIO.

Today’s flight to Santa Ana (SNA) Orange County California for an 18 hour visit marks my 3rd trip to the left coast in the past four weeks that started out with a trip to Los Angeles. The purpose of today’s trip is to deliver a talk around Business Continuance (BC) and Disaster recovery (DR) topics for virtual server and storage environments along with related data transformation topics themes, part of a series of on-going events.

Planned flight path from MSP to SNA courtesy of Northwest Airlines, now part of Delta

This is a short trip to southern California in that I have to be back in Minneapolis for a Wednesday afternoon meeting followed by keynoting at an IT Infrastructure Optimization Seminar downtown Minneapolis Thursday morning. Right after Thursday morning session, its off to the other coast for some Friday morning and early afternoon sessions in the Boston area, the results of which I hope to be able to share with you in a not so distant future posting.

Where has March gone? Its been a busy and fun month out on the road with in-person seminars, vendor and user group events in Minneapolis, Los Angles, Las Vegas, Milwaukee, Atlanta, St. Louis, Birmingham, Minneapolis for CMG user group, Cincinnati and Orange County not to mention some other meetings and consulting engagements elsewhere including participating in a couple of webcast and virtual conference/seminars while on the road. Coverage and discussion around my new book "The Green and Virtual Data Center" (CRC) continues expand, read here to see what’s being said.

What has made the month fun in addition to traveling around the country is the interaction with the hundreds of IT professionals from organizations of all size hearing what they are encountering, what their challenges are, what they are thinking, and in general what’s on their mind.

Some of the common themes include:

There’s no such thing as a data recession, however the result is doing more with less, or, with what you have

Confusion abounds around green hype including carbon footprints vs. core IT and business issues

There is life beyond consolidation for server and storage virtualization to enable business agility

Security and encryption remain popular topic as does heterogeneous and affordable key management

End to end IT resource management for virtual environments is needed that is scalable and affordable

Performance and quality of service can not be sacrificed in the quest to drive up storage utilization

Clouds, SSD (FLASH), Dedupe, FCoE and Thin Provisioning among others are on the watch list

Tape continues to be used complimenting disks in tiered storage environments along with VTLs

Dedupe continues to be deployed and we are just seeing the very tip of the ice-berg of opportunity

Software licensing cost savings or reallocation should be a next step focus for virtual environments

Now, for a bit of irony and humor, overheard was a server sales person talking to a storage sales person comparing notes on how they are missing their forecasts as their customers are buying fewer servers and storage now that they are consolidating with virtualization, or using disk dedupe to eliminate disk drives. Doh!!!

Now if those sales people can get their marketing folks to get them the play book for virtualization for business agility, improving performance and enabling business growth in an optimized, transformed environment, they might be able to talk a different story with their customers for new opportunities…

What’s on deck for April? More of the same, however also watch and listen for some additional web based content including interviews quotes and perspectives on industry happenings, articles, tips and columns, reports, blogs, videos, podcasts, webcasts and twitter activity as well as appearances at events in Boston, Chicago, New Jersey and Providence among other venues.

To all of those who came out to the various events in March, thank you very much and look forward to future follow-up conversations as well as seeing you at some of the upcoming future events.

Cheers gs

Greg Schulz – Author Cloud and Virtual Data Storage Networking (CRC Press, 2011), The Green and Virtual Data Center (CRC Press, 2009), and Resilient Storage Networks (Elsevier, 2004)

twitter @storageio

Display Content by Categories