Amazon S3 now encrypts data by default
AWS has changed a setting for new Amazon S3 buckets to encrypt data by default, a move that increases data protection and places more emphasis on customer security.
New data stored in Amazon S3 will now be encrypted by default, a change that brings the largest hyperscaler in line with competitor policies.
S3, an object storage service, uses an Amazon server-side encryption called SSE-S3, which encrypts each object with a unique key and then encrypts the key itself. In the past, customers had to manually turn on SSE-S3; now, it's automatic. The change to encrypt by default comes at no additional cost to customers and is available as of Jan. 5 in all AWS regions, including those for AWS GovCloud and AWS China, according to an AWS blog post.
The encryption status of the approximately 280 trillion existing objects will not change, according to the cloud provider.
Making encryption the standard in S3 catches AWS up with Microsoft Azure and Google Cloud Platform, which have defaulted to at-rest encryption for several years. Smaller private cloud services, including Oracle Cloud Infrastructure, have also provided at-rest encryption by default.
The change to S3 is a positive move to protect customer data, according to Dave Raffo, senior analyst at Evaluator Group. Customers expect data encryption by default, which has become an unofficial industry standard, and might assume incorrectly that S3 provided this same service.
"The big change is everything you send to S3 is being encrypted," Raffo said. "You get the benefits without having to upgrade. … The users are expecting and want it. Security is a hot topic nowadays."
Under lock and key
Encrypting objects in S3 is not a new feature and has been available to AWS customers since 2011. SSE-S3 makes data housed in a storage system generally unreadable and unusable to humans unless translated with an encryption key. It places the management of object data encryption and the keys to access that data under the purview of AWS.
Customers have additional encryption options when using SSE-S3 that include customer-provided encryption keys and use of keys through the AWS Key Management Service.
"We heard early on [that] customers really wanted to enable encryption at rest," said Kevin Miller, vice president and general manager of Amazon S3. He noted that most objects created in the service typically take advantage of encryption features.
But making at-rest encryption the default required additional testing to ensure no existing applications would break with the change, according to Miller.
"When we make changes like this, we're super paranoid every customer application works normally," he said. "We never changed the bucket defaults. This is the first time we're doing that."
Ounce of prevention
AWS's transition to encryption by default was likely dictated by the advancement of data protection laws and policies globally, according to Marc Staimer, president of Dragon Slayer Consulting.
While encryption can protect data, it's not a comprehensive security strategy itself, he added. Encrypted data is normally unencrypted when in use by applications, meaning data is still vulnerable to exposure if someone gets access credentials through programs such as keyloggers or social engineering efforts.
"Most of the access is not directly to the storage. It's through the application," Staimer said. "Every time you come up with a good defense, the bad guys find a way around it."
AWS's messaging over the past several years has focused on making sure customers understand not only how they can protect data in AWS but also how the hyperscaler's shared responsibility model for security requires proactive intervention by the customer. That includes changes to S3 bucket security coming in April 2023.
These changes will alter two default settings for newly created S3 buckets to block all public access and to lock object ownership to the bucket owner by disabling access control lists by default. Changing either of these settings from the new defaults will require editing specific parameters.
In the announcement blog, AWS said both changes are already default settings when using the AWS console for creating S3 buckets and are consider best security practices.
This won't be the last time AWS could take a more hands-on approach to increase data security. Miller said the hyperscaler continues to look for ways to protect customer data and implement default settings to encourage better practices.
"You'll see us make changes to the defaults where we can raise out-of-the-box security," he said.
Tim McCarthy is a journalist living on the North Shore of Massachusetts. He covers cloud and data storage news.