SaaS Shield CMK for Amazon S3

SaaS Shield CMK for Amazon S3 is a tailored solution built on our standard SaaS Shield product. It can be quickly added to an application that is storing customer data in Amazon S3 with very minimal code changes. The solution is built to run inside the same AWS infrastructure where your S3 buckets reside.

You can buy the product directly from the AWS Marketplace! The subscription fees will be added into your AWS bill for simplified payment. Once you purchase your subscription on the Marketplace, you will be redirected to the Configuration Broker to complete signup. The signup process guides you through configuring a vendor in the IronCore Labs Configuration Broker, then provides you with an installation script that your operations team can use to get everything installed and configured in AWS and ready to protect your customer data. Just change the way you connect to S3 in your application to point to the new SaaS Shield CMK for Amazon S3 endpoint, and you have Customer Managed Keys protecting the data stored in S3!

Suppose you have a simple application with a web interface that stores data on S3.

SaaS Shield for Amazon S3 fits into the architecture transparently.

S3 Proxy

SaaS Shield CMK for Amazon S3 is built around our SaaS Shield CMK Kit, but instead of requiring you to modify your application, we add a new S3 Proxy service that provides a REST API that is compatible with the S3 API. The service embeds our Tenant Security Client (TSC) to provide all SaaS Shield functionality. The proxy automatically determines which S3 requests are sending data, determines which tenant is associated with the data, and asks the TSC for a key to encrypt that data that is controlled by the tenant. Likewise, when the proxy receives requests to retrieve data, it automatically determines the tenant and uses the TSC to get the right key to decrypt the data before returning it.

The TSC embedded in the S3 Proxy communicates with a Tenant Security Proxy (TSP) that is running inside the same infrastructure. This is where the actual key generation and wrapping using a tenant-specific key occur.

Simplified Installation

In addition to providing the new S3 Proxy, SaaS Shield CMK for Amazon S3 is built to be simple to install and configure. If you are using S3, you are already set up in AWS, so we designed the product to quickly install into your AWS account. Following the steps outlined in our Getting Started guide, your operations staff can have the S3 Proxy, a Tenant Security Proxy, test credentials, and a test S3 bucket configured and running in your AWS infrastructure in no time.

Advanced Installation

After you have tested the installation and are ready to move to a QA or production installation, you can use the same installation process to set up additional instances of the product in your AWS infrastructure. If you are already using SaaS Shield and have the Tenant Security Proxy deployed in your infrastructure, you can easily add the S3 Proxy. We have more details in our Advanced Installation guide.

AWS Regions

An installation of SaaS Shield CMK for Amazon S3 is specific to a single AWS region (i.e. us-east-1 or us-west-2), just as S3 buckets are located in a specific region. If your application has buckets in multiple regions, you should install the product in each region.

Technical Details

We have more detailed information on how the S3 proxy works, how it handles S3 requests, how it stores the encrypted data and corresponding Encrypted Data Encryption Keys (EDEKs) in S3, and more in the How It Works section.