Protecting S3 Files
In this lesson, you will learn how to protect your files through encryption when you store them in S3.
We'll cover the following
Users can now upload files, but they may rightly be concerned about security and privacy. You can encrypt the file contents to protect them. In a typical three-tier server application, an application server could receive user data and then encrypt it before saving it to S3. With a direct upload, you can’t control what is sent to S3, because you’ve removed the gatekeeper. You could try encrypting this on the client device before sending it, but then you couldn’t use just a simple browser form. Plus, you’d have to somehow send your encryption keys to client devices, which can create a security nightmare. Because encryption was such a common need, AWS implemented it as part of the platform. With serverless architectures, most gatekeeper roles are passed onto the platform, not to a Lambda function.
You can just flip a switch and all newly created files on S3 will be encrypted at rest, regardless of where they come from. With CloudFormation, that switch is behind the
BucketEncryption property of the
AWS::S3::Bucket resource. You can change the template resource definition for the bucket to look like this: