Securing Amazon S3 Glacier with a customer-managed encryption key

Customer-managed encryption keys are a common architecture requirement within highly regulated workloads. This post demonstrates how to satisfy this requirement within Amazon Simple Storage Service (Amazon S3), including Amazon S3 Glacier.

We also clarify some common points of confusion and demonstrate how objects can be uploaded directly to Amazon S3 Glacier via Amazon S3, which can help meet regulatory requirements as well as potentially save budget.

Background

Amazon S3 is a highly scalable, reliable, fast, and inexpensive data storage service. Amazon S3 offers a range of storage classes designed for different use cases. Amazon Glacier is a secure, durable, and low-cost solution for long-term data archival storage and digital preservation (like tape backups). Amazon S3 Glacier is both a standalone service and an Amazon S3 storage class.

Amazon S3 Glacier can be used without using direct Application Programming Interface (API) or the AWS Management Console (although those options still exist). Instead, you can view and use Amazon S3 Glacier as if it is another storage class within Amazon S3.

There are two sets of AWS documentation regarding Amazon S3 Glacier depending on your chosen API. One set of documents refers to the standalone service; the other discusses use of Amazon S3 Glacier as an Amazon S3 storage class.

What to know

1. Amazon S3 Glacier can be accessed directly or via Amazon S3.
2. You can use the Amazon S3 Console or API as your default for all Amazon S3 Glacier interactions.
   • This can eliminate the concepts of “Vaults” and “Archives” and instead treat everything as an object in an Amazon S3 bucket.
   • Consider replacing “Vault Lock” with “S3 Object Lock.”
3. Refer to Amazon S3 Documentation first. When you need detail beyond this, consult the Amazon S3 Glacier (stand-alone) Documentation.
4. Be mindful of documentation and forum discussion referring to “Amazon Glacier.”

Demonstration overview

In this blog post, I demonstrate how to upload an object to Amazon S3 Glacier via Amazon S3 using a custom encryption key.

Prerequisites

To complete this on your own, you need the following:

• An AWS account
• AWS Identity and Access Management (AWS IAM) permissions for Amazon S3, Amazon S3 Glacier, and AWS Key Management Service (AWS KMS)
• A symmetric, AWS KMS, Customer-Managed Key (CMK) – Documentation
• An S3 Bucket (How to create a bucket)

Demonstration

• Within the AWS Management Console, navigate to the Amazon S3 Service.

• Amazon S3 is a global service; a specific region selection within the console is not applicable as shown here.

• Navigate within a desired destination S3 bucket.
• Select Upload.

• Select an example object to upload.

• Select Next until you arrive at the #3 “Set Properties” menu.
• Select the Amazon S3 Storage Class of Amazon Glacier.

• Select upload and your object is uploaded to Glacier using server-side encryption with your KMS Customer Managed Key as the Private Key. This action could also be completed via AWS command-line interface (CLI) or a desired software development kit (SDK) via API.
• The encrypted upload is complete. In Figure 1 below, we see the object was encrypted using the specified encryption key (see “Server-side Encryption” set to “AWS-KMS”) and then archived into Amazon S3 Glacier (see “Storage Class” set to “Glacier”).

Additional Resources

• Amazon S3 Documentation
• Amazon S3 Glacier (stand-alone) Documentation
• Amazon S3 Storage Classes
• AWS Announces New Amazon S3 Features that Simplify the Use of the Amazon S3 Glacier Storage Class for Archival Workloads in All AWS Regions

Conclusion

You’re now equipped with additional clarity on the interoperability between Amazon Glacier and Amazon S3. I encourage you to look for ways in which you can employ this information in support of your organization’s mission to increase security and save costs.

Happy building!