1 00:00:00,380 --> 00:00:01,859 Now let's look at encryption settings. 2 00:00:01,859 --> 00:00:04,040 So, we'll go into the coffee.jpg file 3 00:00:04,880 --> 00:00:06,471 and I'm going to scroll down. 4 00:00:06,471 --> 00:00:10,090 And let's have a look at the encryption setting. 5 00:00:10,090 --> 00:00:12,890 So, as we can see, for server-side encryption setting, 6 00:00:12,890 --> 00:00:16,290 right now, there is default encryption, Disabled 7 00:00:16,290 --> 00:00:18,320 and server-side encryption, None. 8 00:00:18,320 --> 00:00:21,360 So, our object is not encrypted. 9 00:00:21,360 --> 00:00:23,520 Now, we could edit it and encrypt it in place, 10 00:00:23,520 --> 00:00:24,620 but I wanna show you how it's done 11 00:00:24,620 --> 00:00:26,350 as well when we upload a file. 12 00:00:26,350 --> 00:00:30,770 So let's go ahead and upload a file, I will add a file 13 00:00:30,770 --> 00:00:34,060 and I will add again the coffee.jpg file. 14 00:00:34,060 --> 00:00:35,670 Now we'll scroll down, 15 00:00:35,670 --> 00:00:38,850 and I will look at additional options for encryption. 16 00:00:38,850 --> 00:00:40,380 So let me scroll down. 17 00:00:40,380 --> 00:00:43,410 We are getting into the server-side encryption settings. 18 00:00:43,410 --> 00:00:44,990 I will click on Enable 19 00:00:44,990 --> 00:00:48,200 and here we have different kind of options. 20 00:00:48,200 --> 00:00:49,790 So obviously we disabled it, 21 00:00:49,790 --> 00:00:51,640 and this is no service at encryption, 22 00:00:51,640 --> 00:00:53,730 which was a default from before, 23 00:00:53,730 --> 00:00:55,350 or we can enable it. 24 00:00:55,350 --> 00:00:57,270 So the first encryption type we've seen 25 00:00:57,270 --> 00:01:00,590 and learned from is SSE-S3. 26 00:01:00,590 --> 00:01:03,160 In this case, we are using an Amazon S3 key, 27 00:01:03,160 --> 00:01:04,440 and this is an encryption key 28 00:01:04,440 --> 00:01:07,810 that Amazon S3 will create, manage, and use for us. 29 00:01:07,810 --> 00:01:09,200 So fairly easy. 30 00:01:09,200 --> 00:01:10,500 This is what we could do, 31 00:01:10,500 --> 00:01:13,430 and we could just go ahead and create that file. 32 00:01:13,430 --> 00:01:15,490 For example, with Amazon S3 key. 33 00:01:15,490 --> 00:01:19,880 So let's scroll down, upload it, and that is it, 34 00:01:19,880 --> 00:01:24,880 we have uploaded a file with encryption of SSE-S3. 35 00:01:25,160 --> 00:01:28,510 Now let's do it again, but for the beach.jpg. 36 00:01:28,510 --> 00:01:32,430 So let's add a file and go for beach.jpg, 37 00:01:32,430 --> 00:01:34,560 and I'm going to expand 38 00:01:34,560 --> 00:01:37,300 the additional upload options, scroll down, 39 00:01:37,300 --> 00:01:39,333 Enable Server-Side Encryption and the second option 40 00:01:39,333 --> 00:01:44,200 is AWS-KMS key, so SSE-KMS. 41 00:01:44,200 --> 00:01:45,730 In that case, as we've seen, 42 00:01:45,730 --> 00:01:47,370 we still have an encryption key, 43 00:01:47,370 --> 00:01:49,240 but this time that encryption key 44 00:01:49,240 --> 00:01:52,070 is protected by the KMS service. 45 00:01:52,070 --> 00:01:54,230 And here, we have a couple of options. 46 00:01:54,230 --> 00:01:59,230 We could use an AWS managed key, which is AWS/S3 47 00:01:59,680 --> 00:02:02,310 and this would be an easy option, 48 00:02:02,310 --> 00:02:04,790 or you can choose from your own KMS master keys 49 00:02:04,790 --> 00:02:06,340 if you want to create your own key, 50 00:02:06,340 --> 00:02:08,199 which we'll not do right now. 51 00:02:08,199 --> 00:02:10,410 Or if the key isn't in other accounts, 52 00:02:10,410 --> 00:02:12,790 we could enter the KMS master key ARN, 53 00:02:12,790 --> 00:02:16,220 Amazon resource name manually in here, 54 00:02:16,220 --> 00:02:17,500 but to keep things simple, 55 00:02:17,500 --> 00:02:20,637 we're going to use an AWS managed key (AWS/S3). 56 00:02:22,620 --> 00:02:23,930 And this is going to make sure 57 00:02:23,930 --> 00:02:25,980 that the key encryption happens 58 00:02:25,980 --> 00:02:30,580 by doing API calls into the KMS service, okay? 59 00:02:30,580 --> 00:02:33,403 So let's upload this file again. 60 00:02:38,450 --> 00:02:41,820 Okay, now if we exit this, let's have a look 61 00:02:41,820 --> 00:02:42,653 at what we have. 62 00:02:42,653 --> 00:02:44,770 So we have five object versions. 63 00:02:44,770 --> 00:02:48,000 So we have different coffee.jpg, we have different beach.jpg 64 00:02:48,000 --> 00:02:50,350 and so we could look at specific object versions 65 00:02:50,350 --> 00:02:51,910 in particular. 66 00:02:51,910 --> 00:02:53,710 So if we look at the beach.jpg, 67 00:02:53,710 --> 00:02:55,860 we just had and the one from before. 68 00:02:55,860 --> 00:02:57,760 Let's have a look at what the encryption says. 69 00:02:57,760 --> 00:03:00,890 So this is the one I just uploaded. 70 00:03:00,890 --> 00:03:04,070 And if we look at the encryption setting, 71 00:03:04,070 --> 00:03:06,960 it's encrypted with AWS-KMS master-key 72 00:03:06,960 --> 00:03:07,793 so (SSE-KMS). 73 00:03:08,970 --> 00:03:11,090 And if I'd look at the beach.jpg we had from before 74 00:03:11,090 --> 00:03:13,140 when we first uploaded that file. 75 00:03:13,140 --> 00:03:15,790 If I scroll down, as you can see, 76 00:03:15,790 --> 00:03:18,030 server-side encryption is None. 77 00:03:18,030 --> 00:03:20,910 So what this means that the encryption setting 78 00:03:20,910 --> 00:03:25,090 is just for a specific file and its specific version ID, 79 00:03:25,090 --> 00:03:27,180 but this will make sense. 80 00:03:27,180 --> 00:03:29,390 So we can upload these files manually 81 00:03:29,390 --> 00:03:32,630 and specify the encryption setting for each file. 82 00:03:32,630 --> 00:03:35,990 Or if we wanted to, we could for example, 83 00:03:35,990 --> 00:03:38,840 go into Properties and specify 84 00:03:38,840 --> 00:03:43,560 a default encryption mechanism for the buckets. 85 00:03:43,560 --> 00:03:44,970 So how do we do it? 86 00:03:44,970 --> 00:03:46,650 Well, for example, let's edit 87 00:03:46,650 --> 00:03:48,140 this default encryption settings. 88 00:03:48,140 --> 00:03:49,920 So here we go, I will edit it. 89 00:03:49,920 --> 00:03:51,600 And we will Enable Server-side encryption 90 00:03:51,600 --> 00:03:52,760 by default. 91 00:03:52,760 --> 00:03:55,600 And let's say we want the default, every single object 92 00:03:55,600 --> 00:03:58,930 to be uploaded with the Amazon S3 key. 93 00:03:58,930 --> 00:04:03,930 So we'll use this, save the changes, and now let's try 94 00:04:04,050 --> 00:04:06,400 to upload a file without any encryption. 95 00:04:06,400 --> 00:04:08,050 So let's have a look. 96 00:04:08,050 --> 00:04:11,470 So we'll go to objects, upload it. 97 00:04:11,470 --> 00:04:15,010 And I'm going to upload a coffee.jpg file, 98 00:04:15,010 --> 00:04:18,480 but I'm not specifying any encryption. 99 00:04:18,480 --> 00:04:21,350 But as we can see, the default encryption is Enabled, okay? 100 00:04:21,350 --> 00:04:23,580 But if I go into additional upload options, 101 00:04:23,580 --> 00:04:25,950 I'm saying encryption to use 102 00:04:25,950 --> 00:04:27,900 the default encryption bucket settings. 103 00:04:27,900 --> 00:04:31,100 And so, as you can expect, if I upload this file, 104 00:04:31,100 --> 00:04:32,740 what is going to happen? 105 00:04:32,740 --> 00:04:33,573 Well, let's have a look. 106 00:04:33,573 --> 00:04:35,620 I'm going to click on this file ID right here 107 00:04:37,940 --> 00:04:39,756 and look at the kind 108 00:04:39,756 --> 00:04:42,460 of server-side encryption setting it has. 109 00:04:42,460 --> 00:04:44,800 Yes, it has an Amazon S3 master key. 110 00:04:44,800 --> 00:04:48,540 So the default encryption setting worked properly. 111 00:04:48,540 --> 00:04:51,209 And so lastly, you may be asking me Hasty fan, 112 00:04:51,209 --> 00:04:54,230 you taught us about more settings, 113 00:04:54,230 --> 00:04:55,910 you know, to encrypt files. 114 00:04:55,910 --> 00:04:57,390 So why don't we see them? 115 00:04:57,390 --> 00:04:59,020 So lets have a look. 116 00:04:59,020 --> 00:05:03,530 If I go into the Options and look at overriding, 117 00:05:03,530 --> 00:05:06,250 as we can see, we have Amazon S3 key 118 00:05:06,250 --> 00:05:07,407 so (SSE-S3) or (SSE-KMS). 119 00:05:09,400 --> 00:05:11,687 Another one we have learned is (SSE-C). 120 00:05:13,240 --> 00:05:15,750 And we can only do this through the CLI 121 00:05:15,750 --> 00:05:18,216 because we have to pass in an encryption key 122 00:05:18,216 --> 00:05:21,840 into AWS securely to anchor that object. 123 00:05:21,840 --> 00:05:24,460 So this is not something that has developed to be done 124 00:05:24,460 --> 00:05:26,530 through the console at this time. 125 00:05:26,530 --> 00:05:28,590 So it's not accessible to us. 126 00:05:28,590 --> 00:05:31,890 So the SSE-C option is not going to be shown. 127 00:05:31,890 --> 00:05:33,760 And the last Option I showed you, 128 00:05:33,760 --> 00:05:36,080 it was called Client-Site encryption. 129 00:05:36,080 --> 00:05:38,390 And Client-Site encryption, it means that we need 130 00:05:38,390 --> 00:05:40,210 to encrypt objects client size, 131 00:05:40,210 --> 00:05:42,610 so on our own computers before uploading 132 00:05:42,610 --> 00:05:43,840 to Amazon S3. 133 00:05:43,840 --> 00:05:46,040 And so Amazon S3 doesn't really care 134 00:05:46,040 --> 00:05:47,540 if it's encrypted or not, 135 00:05:47,540 --> 00:05:49,280 it will just take all the bites anyway. 136 00:05:49,280 --> 00:05:50,610 And so this is why this option 137 00:05:50,610 --> 00:05:53,520 does not show anything here as well. 138 00:05:53,520 --> 00:05:54,600 So that makes sense. 139 00:05:54,600 --> 00:05:58,110 This is where we can only see SSE-S3 and SSE-KMS. 140 00:05:58,110 --> 00:05:59,570 So that's it for this lecture. 141 00:05:59,570 --> 00:06:00,403 I hope you liked it. 142 00:06:00,403 --> 00:06:02,340 And I will see you in the next lecture.