AWS S3 Object encryption + public accessible?

Question

I've uploaded an object onto S3, and made it publicly accessible. Hence, anyone who has the link to the object, can view the object.

Now I then updated the encryption mode to AES-256, and when I visit the link again, I can still see the object. So what does this encryption really doing? Is it only meant to target data at rest and hence if someone else has the link and retrieve it via browser, its consider fine?

Which steps of the process is actually decrypted the object?

Answer 1

You have selected Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3) .

This means that Amazon S3 manages the encryption/decryption. When the file is written to disk, a random encryption key is generated for the file. The file is encrypted and written to disk. The encryption key is then encrypted with another encryption key managed by S3.

When you later request the file, S3 decrypts the encryption key, uses it to decrypt the file and then provides the decrypted file.

The above is encryption at rest . It means that the data is encrypted before it is written to disk. If anybody was to physically obtain the disk where the data is stored, they would not have access to the unencrypted data.

However, when you requested the object from Amazon S3, it verified that you were permitted to access the object (it is publicly accessible, so you are permitted). It then decrypted the object and provided the unencrypted file (but it would have normally done this via HTTPS, so it was encrypted between AWS and your browser).

If you are wanting to manage the encryption process yourself, take a look at Protecting Data Using Server-Side Encryption with Customer-Provided Encryption Keys (SSE-C) . This requires you to provide the encryption key when retrieving the object.