- Newest
- Most votes
- Most comments
To serve S3 content encrypted with SSE-C through CloudFront, you can use a Lambda@Edge function to handle the encryption keys. Here's a high-level approach to how you could set this up:
Create a Lambda@Edge Function:
Implement a Lambda@Edge function that will be triggered on viewer request events. This function should:
- Retrieve the encrypted Data Encryption Keys (DEK) for the requested object from your DB or S3.
- Decrypt the DEK using AWS KMS.
- Add the decrypted DEK as the x-amz-server-side-encryption-customer-key header in the request forwarded to S3.
Deploy the Lambda@Edge Function:
Deploy your Lambda@Edge function to AWS Lambda, and associate the function with your CloudFront distribution, and ensure that the function has the necessary permissions to:
- Access the DEKs from your DB/S3.
- Decrypt keys using AWS KMS.
- Write logs to CloudWatch for monitoring and debugging.
Configure CloudFront: Configure your CloudFront distribution to trigger the Lambda@Edge function on viewer request events. Ensure your S3 bucket policy allows access from CloudFront with the necessary SSE-C headers.
If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!
Thank you for the quick response.
Continuing to that, I have couple of other questions, it would be a great help if you can answer.
- How do I encrypt the existing S3 objects by providing separate DEK for each folder, because AWS Batch doesn't seem to have that option.
- And replication, in case of disaster
Relevant content
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 6 months ago