1
00:00:00,380 --> 00:00:02,110
Okay, so now let's have a look

2
00:00:02,110 --> 00:00:04,440
at S3 Default Encryption.

3
00:00:04,440 --> 00:00:07,420
So if you want it to push an object an S3 buckets

4
00:00:07,420 --> 00:00:10,590
and wanted to make sure that that object was encrypted,

5
00:00:10,590 --> 00:00:14,190
then you could force encryption using a Bucket Policy.

6
00:00:14,190 --> 00:00:17,240
And the bucket policy sees that if the encryption headers

7
00:00:17,240 --> 00:00:20,480
are not specified in the API call,

8
00:00:20,480 --> 00:00:22,010
made it to Amazon S3,

9
00:00:22,010 --> 00:00:23,480
then you deny the request.

10
00:00:23,480 --> 00:00:25,840
And therefore, the effect of that is that every object

11
00:00:25,840 --> 00:00:29,490
that is put it into your S3 buckets has to be encrypted.

12
00:00:29,490 --> 00:00:31,540
Now that's one way of doing it, but there's another way.

13
00:00:31,540 --> 00:00:33,980
And it is to use the default encryption option

14
00:00:33,980 --> 00:00:35,110
in Amazon S3.

15
00:00:35,110 --> 00:00:37,940
So the idea is that if you upload an un-encrypted object

16
00:00:37,940 --> 00:00:38,773
into Amazon S3,

17
00:00:38,773 --> 00:00:42,060
it will be encrypted using the default encryption options.

18
00:00:42,060 --> 00:00:43,640
But if you already uploaded encrypted,

19
00:00:43,640 --> 00:00:45,890
then it will not be re encrypted.

20
00:00:45,890 --> 00:00:47,870
Now something should note is that bucket policies

21
00:00:47,870 --> 00:00:50,970
will be evaluated before default encryption.

22
00:00:50,970 --> 00:00:53,770
So for example, if you want to force an encryption mechanism

23
00:00:53,770 --> 00:00:55,577
of SSE S3, for example,

24
00:00:55,577 --> 00:00:58,130
you would need to use a bucket policy.

25
00:00:58,130 --> 00:00:59,630
But if you requirement's is just to make sure

26
00:00:59,630 --> 00:01:01,160
that every single object in your bucket

27
00:01:01,160 --> 00:01:04,423
is encrypted for this, you could use default encryption.

28
00:01:04,423 --> 00:01:06,810
So let's create a buckets named

29
00:01:06,810 --> 00:01:11,810
s3-default-encryption-stephane-demo

30
00:01:13,830 --> 00:01:16,963
and then we're going to create these buckets.

31
00:01:18,630 --> 00:01:23,052
So under the bucket itself, as you can see for properties,

32
00:01:23,052 --> 00:01:25,860
you have a look at default encryption

33
00:01:25,860 --> 00:01:27,710
and here we can automatically encrypt

34
00:01:27,710 --> 00:01:29,730
a new objects store in this buckets.

35
00:01:29,730 --> 00:01:30,950
So we'll enable it

36
00:01:30,950 --> 00:01:32,930
and we've selected the type of encryption scheme.

37
00:01:32,930 --> 00:01:35,030
Do you want Amazon SSE S3

38
00:01:35,030 --> 00:01:36,200
or do you want SSE KMS?

39
00:01:36,200 --> 00:01:38,220
And then you specify your key.

40
00:01:38,220 --> 00:01:40,700
So we'll use SSE S3 for this example,

41
00:01:40,700 --> 00:01:42,466
and it will save my changes.

42
00:01:42,466 --> 00:01:46,930
And now, as you can expect, if I add a file and this file,

43
00:01:46,930 --> 00:01:49,450
for example, is coffee.jpg.

44
00:01:49,450 --> 00:01:50,890
And then as you can see,

45
00:01:50,890 --> 00:01:53,170
I do not specify any encryption mechanism

46
00:01:55,540 --> 00:01:56,373
and click on close.

47
00:01:56,373 --> 00:01:58,670
Now, if I go back to my objects

48
00:01:58,670 --> 00:02:01,763
and have a look at the encryption field.

49
00:02:02,860 --> 00:02:05,050
In here, then we can see that yes,

50
00:02:05,050 --> 00:02:08,550
servers-side-encryption setting is enabled for this object.

51
00:02:08,550 --> 00:02:10,759
And it was using the server-side encryption,

52
00:02:10,759 --> 00:02:13,630
Amazon SSE S3, okay.

53
00:02:13,630 --> 00:02:15,580
If we try to upload another object now,

54
00:02:15,580 --> 00:02:18,230
so let's upload a beach.jpg

55
00:02:19,590 --> 00:02:21,520
but this time in terms of properties,

56
00:02:21,520 --> 00:02:24,840
I'm going to specify a encryption key.

57
00:02:24,840 --> 00:02:26,820
And here we can use either the default

58
00:02:26,820 --> 00:02:28,970
encryption buckets settings, or we can override them.

59
00:02:28,970 --> 00:02:30,980
And so if we override them and for example,

60
00:02:30,980 --> 00:02:35,960
use KMS using the managed key aws/s3 KMS key,

61
00:02:35,960 --> 00:02:37,403
and click on upload.

62
00:02:39,660 --> 00:02:41,770
And now we have a look at the file itself.

63
00:02:41,770 --> 00:02:42,770
So let's click on it

64
00:02:44,180 --> 00:02:48,380
and scroll down to the encryption block.

65
00:02:48,380 --> 00:02:49,213
Here we go.

66
00:02:49,213 --> 00:02:50,046
As you can see now,

67
00:02:50,046 --> 00:02:52,183
even though default encryption is enabled,

68
00:02:52,183 --> 00:02:55,570
this file was encrypted using SSE KMS,

69
00:02:55,570 --> 00:02:57,420
and the KMS key that we specified.

70
00:02:57,420 --> 00:02:58,670
So remember the default encryption

71
00:02:58,670 --> 00:03:00,610
is not applying the same encryption to all files.

72
00:03:00,610 --> 00:03:03,510
It is just making sure that if you upload the object

73
00:03:03,510 --> 00:03:04,870
in an unencrypted way,

74
00:03:04,870 --> 00:03:07,200
then you will automatically be encrypted using the default

75
00:03:07,200 --> 00:03:09,570
encryption mechanism. So that's it for this lecture.

76
00:03:09,570 --> 00:03:10,403
I hope you liked it.

77
00:03:10,403 --> 00:03:12,270
And I will see you in the next lecture.