AWS has announced that Amazon S3 will encrypt all new objects by default and automatically apply server-side encryption for each new object unless specified otherwise.
Server side encryption (SSE) for Amazon’s Simple Storage Service (Amazon S3) was first introduced in 2011, with users given the ability to request encrypted storage when storing a new object or copying an existing object.
Encryption by default puts another security best practice into effect automatically and the change has no impact on performance, according to AWS. No user action is needed, and S3 buckets that do not use default encryption will now automatically apply SSE-S3 as the default setting.
However, users can choose one of three encryption options: the new default SSE-S3 setting, customer-provided encryption keys or AWS Key Management Service keys.
“To have an additional layer of encryption, you might also encrypt objects on the client side, using client libraries such as the Amazon S3 encryption client,” the company says in a blog post.
Previously, opting in to SSE-S3 meant that users had to certain that it was always configured on new buckets and verify that it remained configured property over time. For organizations that require all objects to remain encrypted at rest with SSE-S3, this update helps meet those compliance requirements without any additional effort, the company says.
“With today’s announcement, we have now made it ‘zero click’ for you to apply this base level of encryption on every S3 bucket,” the company says.
The change is visible in AWS CloudTrail data event logs, and users can also see changes in the S3 section of the AWS Management Console, Amazon S3 Inventory, Amazon S3 Storage Lens, and as an additional header in the AWS CLI and in the AWS SDKs over the next few weeks.
To verify the change, users can configure CloudTrail to log data events.
Read AWS’ blog for more information.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!