3 min read

Secure BYOK Service for AWS S3 Buckets

Dawn M. Turner (guest) : 10. February 2023

PCI DSS GDPR Key Management in the Cloud AWS AWS BYOK
Secure BYOK Service for AWS S3 Buckets

Keeping data safe in the Cloud has always been a concern for users, hence the need for encrypting data. With more businesses taking advantage of what the cloud has to offer with cloud-based services, there has been increased focus on who should manage the keys used to encrypt and decrypt data.

This article takes a look at how Cryptomathic’s AWS BYOK Service can provide better control and auditability of key encryption keys for the Amazon Simple Storage Service (Amazon S3).

What is Amazon S3?

Amazon S3 is an object storage service that provides data availability, scalability, security, and performance. It can be used by customers of all sizes in all types of industries to store and protect data that can be used for a variety of purposes, including, but not limited to:

  • Websites
  • Mobile applications
  • Enterprise applications
  • Data lakes
  • Backups and restores
  • Big data analytics
  • Archiving
  • IoT devices
With its management features, Amazon S3 allows users to organize, optimize and configure access to their data that allows for meeting their specific organizational, business, and compliance requirements.

How Does Amazon S3 Work?

Amazon S3 uses buckets to store data as objects. An object is a file combined with the metadata that provides a description of the file. A bucket is a container for objects (think file folder). Any number of objects can be stored in a bucket (think a VERY big file folder) and the user can have up to 100 buckets in their account (think many file folders sitting in a large file cabinet!)

S3 offers a range of storage classes where the user can decide where data should be stored based on how often it is used. For example, data that is mission-critical and is often accessed may be stored in S3 Standard for frequent access, but infrequently accessed data may be stored in S3 Standard-IA to save costs. Meanwhile, archive data can be stored at a lower cost in S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, or S3 Glacier Deep Archive where it will sit at rest just in case it is needed someday.

It is also possible to use S3’s Intelligent-Tiering which optimizes storage costs as it automatically moves data between four access tiers when the user’s access patterns change:

  • One tier for low latency for frequent access
  • One tier for low latency for infrequent access
  • Two opt-in archive tiers for asynchronous access for data that is rarely accessed

Amazon S3 provides storage management that allows users to manage their costs, reduce latency, meet required regulatory responsibilities and store multiple copies of data to meet compliance requirements. It also provides features for managing access to the user’s buckets and objects, which by default are private.

Using Encryption to Protect Data

Cloud security has come a long way over the years, but there are still risks involved. With data being transferred in and out of buckets, it is at risk. When the data is sitting in a bucket at rest, it is also at risk. Therefore, there is a need to protect data through encryption.

AWS considers security as a shared responsibility between them and the user. For example, AWS carries the responsibility of protecting the infrastructure that runs its services in their cloud. The user’s responsibility is determined by which AWS service is being used.

When using Amazon S3, the user bears the burden of responsibility for:

  • Managing their data, such as encryption and object ownership
  • Classifying assets
  • Managing access to their data
  • Enabling AWS’s detective controls like Amazon GuardDuty or AWS CloudTrail

Users have the option between server-side encryption where Amazon S3 encrypts an object before it is saved and decrypts when it is downloaded. This is where Cryptomathic’s AWS BYOK Service comes in. Client-side encryption is when client-side data is encrypted and unloaded to encrypted data in Amazon S3. The user manages the encryption process and its encrypted keys.

Cryptomathic’s AWS BYOK Service for Securing S3 Buckets 

The Cryptomathic AWS BYOK Service is ideal for securely pushing and managing cryptographic keys for Amazon services, like AWS S3, that utilize AWS KMS. It gives users a higher level of control over permissions, such as access to stored data and control over the life cycles of their keys from creation to archiving to destruction.

Cryptomathic’s approach to BYOK is more along the lines of “Manage Your Own Key,” (MYOK) which better delivers on the promises that BYOK makes for security. By using AWS KMS with Customer Managed Keys, It allows for the separation of ownership and control versus possession of cryptographic keys from the cloud service provider’s applications, which in this case would be Amazon S3. This provides more control and auditability of keys, due to maintaining ownership of them.

The Cryptomathic AWS BYOK Service provides organizations with a secure HSM-backed service, where the HSMs (Hardware Security Modules) are under the sole logical control of Cryptomathic, dedicated only to BYOK. The service gives you a 360-degree view of all keys, including key-lifecycle information and user activity. Users will be able to demonstrate compliance (e.g., with GDPR, HIPAA, PCI-DSS and others), by downloading reports on the system and by documenting which keys were generated, when they were pushed and when any changes happened. The AWS BYOK Service is available as an on-demand service.  

 

New call-to-action