stackoom
  简体   繁体   中英

Do server-side encrypted files in S3 get transitioned to AWS Glacier?

 原文  2017-11-13 15:54:12       amazon-web-services/ amazon-s3/ amazon-glacier/ aws-kms

Question

Question: Do server-side encrypted (with S3 managed or KMS managed keys) files get transitioned to Glacier ? If yes, are they decrypted using S3 or KMS key and then encrypted again using Glacier's internal key as all objects in Glacier are encrypted using an internal AES 256 keys ?

Problem statement: I have some files in S3 encrypted using KMS managed key. I have a lifecycle rule to archive to Glacier after 1 day, but the files still show Storage class as 'Standard' even after 3 days.

3 answers

solution1
 0  2017-11-13 20:27:37

I checked in AWS docs and forums, but could not find a direct answer to this question.

But what I found was, even the CRR does not handle SSE-C and SSE-KMS encrypted objects (under what is not replicated section). Hence I would assume the transition rule also cannot handle SSE-C and SSE-KMS encrypted files as Glacier supports only AES-256 encryption.

Link for AWS Replication Documentation

solution2
 0  2017-11-14 00:09:03

There is nothing in the documentation to suggest that storage class changes from lifecycle policies are incompatible with SSE-KMS.

On archive, S3 objects are moved as is (in SSE-KMS encrypted form) to Glacier, encrypted by Glacier again. View Thread RSS Feed View Thread RSS Feeds

— susan@aws https://forums.aws.amazon.com/thread.jspa?messageID=786916

S3 apparently does not decrypt and re-encrypt, but rather appears to simply encrypt the encrypted version of the object again, so SSE-C should also be compatible.

Note that lifecycle policies require between up to 24 hours before they actually begin transitioning objects, and new objects will match a "1 day" rule between 24 and 48 hours after the object's initial creation.

If there is a large number of objects, you might want to use aws-cli to try to see if any objects have migrated. 

aws s3api list-objects [options] --output-format=text | grep GLACIER

solution3
 0  2017-11-14 22:02:48

My lifecycle rules had filename-specific prefix like 'com/folder-name/Daily-'. I created new lifecycle rules so that they end with last parent folder-name and a trailing slash 'com/folder-name/'.

After this change and waiting for 24+ hours, both un-encrypted and SSE-kms encrypted files got transitioned to Amazon Glacier.

After transition, I do understand they both got encrypted internally using Glacier managed keys as documented in this FAQ. https://aws.amazon.com/glacier/faqs/#security .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS cloudfront with server-side encrypted s3 bucket AWS S3 - How to get all files that are GLACIER storage class Move AWS s3 deleted files to Glacier At what time of the day does the S3 objects get transitioned to S3-IA or Glacier AWS S3: Get Server-side encryption settings using CLI Uploading files to Glacier using AWS S3 v/s S3 Glacier upload Server-side encryption Access denied AWS IAM user : Access denied when downloading files in s3 bucket Why is reading files on AWS S3 Glacier very slow? List files restored from AWS Glacier to S3, time remaining? How to download archive files from AWS S3 Glacier
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM