Using Encryption to Protect Sensitive Data in Amazon S3

search share Teilnehmen Anmelden

Using Encryption to Protect Sensitive Data in Amazon S3

1 Stunde 10 Guthabenpunkte

SPL-DD-200-STS3P3-10-EN - Version 1.0.0

© 2021 Amazon Web Services, Inc. and its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. All trademarks are the property of their owners.

Corrections, feedback, or other questions? Contact us at AWS Training and Certification.

Lab Overview

Data protection refers to protecting data while in-transit as it travels to and from Amazon Simple Storage Service (Amazon S3) and at rest while it is stored on disks in Amazon S3 data centers. You can protect data in transit using Secure Socket Layer (SSL), Transport Layer Security (TLS), or client-side encryption. You have the following options for protecting data at rest in Amazon S3:

  • Server-Side Encryption is when you request Amazon S3 to encrypt your objects before saving it on disks in its data centers and then decrypt it when you download the objects.

  • Client-Side encryption is when you encrypt data on the client-side (locally) and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.

For more information about server-side encryption, refer to Protecting data using server-side encryption in the Additional resources section.

For more information about client-side encryption, refer to Protecting data using client-side encryption in the Additional resources section.

In this lab, you use S3 bucket policies to enforce encryption in transit and at rest. You configure S3 default bucket encryption and explore how its functionality differs from encryption requirements using an S3 bucket policy.

Topics Covered

By the end of this lab, you will be able to:

  • Explain the types of S3 server-side encryption and the differences between them.
  • Implement default encryption on an Amazon S3 bucket.
  • Define encryption in transit and at rest requirements using S3 bucket policies.

Technical Knowledge Prerequisites

To successfully complete this lab, you should be familiar with basic navigation of the AWS Management Console and be comfortable editing scripts using a text editor.

Icon key

Various icons are used throughout this lab to call attention to certain aspects of the guide. The following list explains the purpose for each one:

  • The keyboard icon specifies that you must run a command.
  • The clipboard icon indicates that you can verify the output of a command or edited file by comparing it to the provided example.
  • The note icon specifies important hints, tips, guidance, or advice.
  • Calls attention to information of special interest or importance. Failure to read the note does not result in physical harm to the equipment or data, but could result in the need to repeat certain steps.
  • The "i" circle icon specifies where to find more information.
  • The person with a check mark icon indicates an opportunity to check your knowledge and test what you have learned.
  • Suggests a moment to pause to consider how you might apply a concept in your own environment or to initiate a conversation about the topic at hand.


Your company, AnyCompany Medical Imaging, uses Amazon S3 buckets to store a variety of medical information, such as dental records, prescription information, and X-rays. Compliance requirements dictate that data stored in a particular bucket needs to be encrypted in transit using SSL/TLS and at rest using Amazon S3-Managed Keys (SSE-S3) encryption. You have decided to explore S3 default bucket encryption and bucket policies to determine which approach best meets the requirements.

Start Lab

  1. At the top of your screen, launch your lab by choosing Start Lab

This starts the process of provisioning your lab resources. An estimated amount of time to provision your lab resources is displayed. You must wait for your resources to be provisioned before continuing.

If you are prompted for a token, use the one distributed to you (or credits you have purchased).

  1. Open your lab by choosing Open Console

This automatically logs you in to the AWS Management Console.

Do not change the Region unless instructed.

Common Login Errors

Error: Federated login credentials

If you see this message:

  • Close the browser tab to return to your initial lab window
  • Wait a few seconds
  • Choose Open Console again

You should now be able to access the AWS Management Console.

Error: You must first log out

If you see the message, You must first log out before logging into a different AWS account:

  • Choose click here
  • Close your browser tab to return to your initial lab window
  • Choose Open Console again

Wenn Sie sich in Qwiklabs anmelden, erhalten Sie Zugriff auf den Rest des Labs – und mehr!

  • Sie erhalten vorübergehenden Zugriff auf Amazon Web Services-Konsole.
  • Mehr als 200 Labs für Einsteiger und Experten.
  • In kurze Sinneinheiten eingeteilt, damit Sie in Ihrem eigenen Tempo lernen können.
Beitreten, um dieses Lab zu starten