0
I have installed AWS CLI in a server in my on-prem server I am able to copy files via the cli S3 commands, how can i know if the files in transit to S3 are encrypted?. There is a SSL installed on the local server. Thanks.
Pramod
Posted 2017-07-25T05:31:47.060
Reputation: 1
1
"By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates.."
Source - AWS CLI documentation.
Note that this SSL happens whether the CLI runs on an EC2 instance or a remote computer outside AWS, eg a Windows / Linux computer.
Tim
Posted 2017-07-25T05:31:47.060
Reputation: 529
0
In addition to the CLI SSL support, Amazon uses a key management service (KMS in their documentation), and provides for encryption for their offerings, such as AWS EBS, S3, Redshift and RDS. I found that (thank you Google) tools such as FileZilla with SFTP and key pairs, or focused products like OnTap Cloud have also been used.
Amazon encrypts data in several forms: at rest, in motion, and encrypted snapshots. The one caveat is that you cannot directly change the encryption status of volumes. You have to copy your volume, unencrypted to encrypted and vice versa. Their documentation gives details. And they recommend using a unique key, not your standard key, when copying a volume.
The good news is that moving volumes or data between AWS products, it's easy to encrypt and you know it's not in plain sight. There are also third party articles on managing AWS volumes such as this one from NetApp. It's good to see vendors applying security, rather than making the end user configure their setup for security.
Ina Kahn
Posted 2017-07-25T05:31:47.060
Reputation: 31
is this the same in case i am using the aws cli in a local machine (not EC2 instance) ? – Pramod – 2017-07-26T03:38:51.673
Whether you're using an EC2 instance or the AWS CLI on a remote machine the answer is the same. – Tim – 2017-07-26T04:44:36.803
AWS CLI is the same on your local machine or EC2 instance. – Algeriassic – 2017-07-27T00:46:06.857
You can test by sniffing the traffic out of your machine and see if it's encrypted or not – Algeriassic – 2017-07-27T00:49:02.800
@Algeriassic that's true, perhaps you could provide some information on how to do that. That kind of detailed testing would take a bit of time and effort, it would only be worthwhile for particularly sensitive information IMHO, given AWS is a reputable vendor and the information from them is clear. – Tim – 2017-07-27T00:54:25.250
@Tim he can use tcpdump to see the (encrypted) payload that is being sent to s3-"REGION".amazonaws.com. Here is the command:
tcpdump -As 0 -i eth0 port 443– Algeriassic – 2017-07-28T04:01:26.987