S5 - super secure S3 buckets

Who do you trust most when it comes to your valuable data? Yourself or someone else? A lot of people have infinite trust in their cloud provider. It’s like they trust every new feature which comes out. Given the fact that cloud adoption is growing big, this trust is not without reason. However, sometimes you need to put the trust back into your own hands. Make sure you adhere to S5 – super secure S3 buckets as the source of your data.

Secure your data

A lot of companies do have a dedicated security department. One of the main tasks of this department is to safeguard the corporate data. All kinds or corporate data like application source code, customer data, statistics, sales-related data etc. When large amounts of data is lost or compromised, these companies are in serious trouble. Good reasons to be very strong on data requirements. Probably it would be no surprise that all of this data should be encrypted – in transit and at rest.

Better protection & requirements

When storing confidential data at a public Cloud provider, there are considerations to do this in a safe way. Johnander Jansen, one of the partners of Business IT Nerd, has his view on protecting it. Read his views to grab his thoughts.

First, the requirements are determined: the data should be:

  • available all the times
  • accessible in an easy fashion
  • completely in control of the owner
  • and it should be secured very very well

He decided to put his data in an Amazon S3 bucket. S3 is a very reliable and secure way to store data in the public cloud. It can meet almost all requirements which are defined. Almost. What about key management? Proper key management determines who can access the data and who can’t.

Handle it yourself

With the core capabilities of AWS in mind, only Amazon would be able to handle the key management. Security departments demands: key management should be handled internally. Part of the solution is AWS Cloudfront which makes the data accessible in a speedy way for consumers all around the world. Cloudfront, as this time of writing, is not able to use Customer Managed Keys (CMK) as part of their KMS (Key Management Services).

Optimal security for your valuable data

Johnander built the following solution to overcome this. Managers can skip the last technical part and jump to the last paragraph. 🙂


S5 - super secure S3 bucket

  • S3 is used as a cloudfront identity and origin. The data in the S3 bucket is encrypted using CMK.
  • A Lambda function is deployed to an Edge location. It is bound at Cloudfront for only the S3 bucket as the origin.
  • The Lambda function assumes an IAM role and this is the same role as for the S3 bucket and the CMKs. This role is being used to decrypt the contents of the S3 bucket.
  • The Lambda function gets temporarily credentials from the IAM role to change all of the incoming HTTP requests.
  • After the transformation of all HTTP requests, the response is sent back to the Cloudfront origin (S3 bucket).

Where to go from here

The solution mentioned above puts the trust back into your own hands. Data is protected with keys you manage yourself. The S3 storage solution provides all of the benefits of highly availability and it is extremely reliable.

Are your data (protection) requirements similar? Reach out to us to get your S5 – super secure S3 buckets being deployed. We are happy to share our implementation details with you to help you protect your data at the highest levels.