All objects added to the storage service will now be encrypted by default.
AWS has announced that all objects added to Simple Storage Service (S3) will be encrypted automatically by default, effective immediately. This means that the Amazon Server Side Encryption (SSE) service will be applied automatically each time a customer uploads an object to their Amazon S3 account.
Amazon Server Side Encryption has been available as an option since 2011. Ath the time, AWS Chief Evangelist Jeff Barr explained that SSE “handles all encryption, decryption, and key management in a totally transparent fashion. When you PUT an object and request encryption (in an HTTP header supplied as part of the PUT), we generate a unique key, encrypt your data with the key, and then encrypt the key with a master key. For added protection, keys are stored in hosts that are separate and distinct from those used to store your data”.
SSE, however, was only available on request. AWS has now made the SSE encryption regime a default setting for all objects uploaded. Sébastien Stormacq, AWS’s Principal Developer Advocate, announced the new security policy in a blog post. “This change puts another security best practice into effect automatically—with no impact on performance and no action required on your side,” he writes. “S3 buckets that do not use default encryption will now automatically apply SSE-S3 as the default setting. Existing buckets currently using S3 default encryption will not change.”
Several encryption options available
SSE-S3 has become the new base level of encryption when no other encryption type is specified. SSE-S3 uses Advanced Encryption Standard (AES) with 256-bit keys managed by AWS. Although default encryption is now standard, customers don’t need to use SSE S3. Admins can choose to encrypt their objects using SSE-C (with customer-provided keys) or SSE-KMS (with AWS Key Management). These encryption options can either be set as ‘one click’ default encryption settings on the bucket or for individual objects in PUT requests.