By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 Batch Copy : Data Security over Transit

0

Hello,

Use Case: S3 Transfer data Cross Account: I want to transfer data across two buckets cross two accounts that are not owned by the same organization.

Implementation

  1. As the data is going be residing in the same region, we are going to be using S3 Batch COPY.
  2. Why S3 Batch? because the destination user wants to be able to pull data whenever required due to certain restrictions. As S3 Replication will keep copying data as soon as it is uploaded to the S3 Bucket.
  3. Using Manifest.csv file located in the Source account. The source user will be updating the manifest.csv when new data is ready to be transferred across accounts.
  4. We have also limited the source bucket to Deny any requests that aren't over HTTPS (this was done by adding a deny statement with the condition "aws:SecureTransport": "false")
  5. This solution is working and we are able to transfer data successfully across the buckets located in separate accounts.

Queries: I have tried finding the answers for my questions below to no avail, its not mentioned in any document that I have gone through. Any help would be greatly appreciated.

  1. When using S3 Batch, is the data in transit secure? What I mean by this is that
  • Is it over Secure Line (like AWS's own backend private network?)
  • Is the data encrypted over transit?
  • Can S3 Batch COPY work Cross Regions Cross Account?
  1. Also the same question w.r.t S3 Replication, is the data in transit secure? What I mean by this is that
  • Is it over Secure Line (like AWS's own backend private network?)
  • Is the data encrypted over transit?

Below is a simple diagram of what I have setup currently,

Enter image description here

Thank you!!

  • D G
    a year ago

    @rePost-User-1408429 Let me know if you have any issues with this, or if it helps you then please accept my answer after you've tried it out - it would be much appreciated! Good luck :)

  • rePost-User-1408429
    a year ago

    Hey there,

    Sorry for the late response,

    I had a chance to connect with a AWS Tech, so the below were my questions and his answers,

    1. When using S3 Batch, is the data in transit secure? Ans: We(AWS) use the AWS private network for object copying between S3 buckets within the same region. Also, for object copying between S3 buckets between different regions excluding the China region, we use the AWS private network, so you can think of it as not going through the basic public internet [1].
    2. Is data in transit Secure? Ans: When using batch operations, the S3 API is used for copying between S3 buckets, but if TLS encryption is required when communicating with the API, we recommend using the aws:SecureTransport condition key in the bucket policy to force HTTPS access [2].
Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
rePost-User-1408429
asked a year ago364 views
2 Answers
1

Hey @rePost-User-1408429

Let me break this answer down in pieces.

When using S3 Batch, is the data in transit secure? What I mean by this is that

Is it over Secure Line (like AWS's own backend private network?) Is the data encrypted over transit? Can S3 Batch COPY work Cross Regions Cross Account?

Within this link Capital One and ePlus talk about using batch across regions.

S3 Batch is fundamentally powered by S3 replication.

Access to s3 can be provided via Privatelink Gateway or Interface. See Access AWS Batch using an interface endpoint for how to perform such over interface endpoint.

I also looked to see if Batch supports in transit, my suggestion would be to first: a. apply concept from "Access AWS Batch using an interface endpoint" b. test if encryption in transit can be honored by applying items as discussed in this other re:Post link here

Please do give this a accepted answer if you feel thusly. Best of luck and please do let us know if this worked out!

profile picture
D G
answered a year ago
  • rePost-User-1408429
    a year ago

    Hey there @D G,

    Thank you for your response, with your answer I was able to get some additional information.

    But, it was not exactly what i was looking for. I have added a new comment with the response I was looking for after a brief discussion with AWS Tech.

0
Accepted Answer

I had a chance to connect with a AWS Tech, so the below were my questions and his answers,

  1. When using S3 Batch, is the data in transit secure? Ans: We(AWS) use the AWS private network for object copying between S3 buckets within the same region. Also, for object copying between S3 buckets between different regions excluding the China region, we use the AWS private network, so you can think of it as not going through the basic public internet.
  2. Is data in transit Secure? Ans: When using batch operations, the S3 API is used for copying between S3 buckets, but if TLS encryption is required when communicating with the API, we recommend using the aws:SecureTransport condition key in the bucket policy to force HTTPS access.
rePost-User-1408429
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content