There are three types of S3 server side encryption:
- SSE-KMS
- SSE-S3
- SSE-C
Without having an AWS support person test each type and report back, one must assume that the only bulletproof s3 encryption methods are client-side (where you handle encryption and decryption yourself and they just store the blob) and SSE-C (where AWS don't store your keys, you send them in every bucket API request). But even that latter method has other caveats:
- What does the S3 service log? Who can access those logs?
- Where does TLS for your S3 https request get terminated? Who can view the traffic?
I'm assuming that this isn't just a regional issue, and that any AWS Support person globally could access buckets in any region. If so, then that's a big deal. If you're in Europe and your bank or healthcare provider is an AWS customer, how much trouble could you cause them (and by extension, AWS) right now?
Furthermore, with the antiwork movement and backlash amongst employees for their treatment of warehouse workers, one cannot guarantee that an AWS worker wouldn't do something to hurt the company.
Amazon need to head this of with a very thorough explanation of what happened and what was exposed directly and indirectly.
Yes but this role did not add the necessary privileges for it to use customer KMS keys. You can’t get an S3 object that’s encrypted with a KMS key if you don’t also have permission to decrypt with that key.
Of course Amazon could just give themselves access to decrypt with your KMS keys too, but that didn’t happen here.
Objects encrypted with S3-managed encryption keys (SSE-S3) are affected, as these keys are set up with a non-configurable resource policy granting the S3 service decryption permissions.
hericium|4 years ago
raffraffraff|4 years ago
- SSE-KMS
- SSE-S3
- SSE-C
Without having an AWS support person test each type and report back, one must assume that the only bulletproof s3 encryption methods are client-side (where you handle encryption and decryption yourself and they just store the blob) and SSE-C (where AWS don't store your keys, you send them in every bucket API request). But even that latter method has other caveats:
- What does the S3 service log? Who can access those logs?
- Where does TLS for your S3 https request get terminated? Who can view the traffic?
I'm assuming that this isn't just a regional issue, and that any AWS Support person globally could access buckets in any region. If so, then that's a big deal. If you're in Europe and your bank or healthcare provider is an AWS customer, how much trouble could you cause them (and by extension, AWS) right now?
Furthermore, with the antiwork movement and backlash amongst employees for their treatment of warehouse workers, one cannot guarantee that an AWS worker wouldn't do something to hurt the company.
Amazon need to head this of with a very thorough explanation of what happened and what was exposed directly and indirectly.
RKearney|4 years ago
Of course Amazon could just give themselves access to decrypt with your KMS keys too, but that didn’t happen here.
cateof|4 years ago