Amazon slaps automatic encryption on S3 data

Amazon has taken the hint regarding security of its cloud-based Simple Storage Service (S3) and updated it so that all newly added objects are encrypted by default. The move comes after the cloud giant announced new default bucket security settings in December.

S3 – initally known as the Simple Storage Service – was the first service made available when Amazon launched AWS as a public cloud way back in 2006. While the object storage platform has proven popular, Amazon's policy of leaving it up to the user to configure security settings has played its part in a number of data breaches over the years when buckets were unintentionally exposed to the outside world.

As of January 5, the S3 platform now encrypts all new objects added to buckets by default, applying server-side encryption (SSE-S3) using 256-bit AES for each new object, unless the user specifies a different encryption option. This change is effective now across all AWS Regions.

SSE-S3 has actually been supported for a long time, as Amazon says in its blog, but it was previously left up to the user to enable it. "This change puts another security best practice into effect automatically – with no impact on performance and no action required on your side," wrote Amazon's Sébastien Stormacq.

While it was simple to enable, the opt-in nature of SSE-S3 meant that users had to ensure it was always configured on new buckets and verify that it remained properly configured over time, according to Amazon. For organizations that require all their objects to remain encrypted at rest with SSE-S3, the latest update helps them meet encryption compliance requirements without any additional tools or configuration changes.

• McGraw Hill's S3 buckets exposed 100,000 students' grades and personal info
• AWS wins 5-year, $700m+ contract for cloud services to US Navy
• AWS strains to make Simple Storage Service not so simple to screw up
• Ever wondered how the AWS leviathan develops software?

Alternatively, customers can update this default configuration using their own encryption keys (SSE-C) or by using AWS Key Management Service keys (SSE-KMS).

Somewhat confusingly, AWS already supported a feature called S3 Default Encryption as a bucket-level setting which customers could use to specify a default encryption level. Existing buckets already using this feature will not change, Amazon said, but the setting can no longer be disabled to ensure that all new data uploaded to S3 will be encrypted at rest.

The change to automatic encryption for new object uploads and S3 Default Encryption configuration is visible now in AWS CloudTrail logs, according to Amazon.

Over the next few weeks, this status will also begin to appear in the S3 management console, S3 Inventory, S3 Storage Lens, and as an additional S3 API header in the AWS CLI and AWS SDK.

The default bucket security settings announced in December will not take effect until April. One of the changes blocks public access to newly created buckets by default to guard against users unintentionally creating an openly available bucket, as The Register detailed at the time. ®