2

SES

Configuration for a SES rule allows one to have the email be put into a S3 bucket. Under this configuration, the option "KMS Key" is available, which would have SES encrypt the email before sending/putting it into the bucket. Specifically, using client-side encryption (CSE) not server side encryption (SSE)

https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-action-s3.html

S3

One can also configure a S3 bucket's properties to encrypt objects when they're uploaded. (SSE)

Context

  • the bucket is only accessed by code (our system and/or AWS Lambda), ie there won't be the requirement to separate different users/roles/etc

Question

  • Why would one use

    1. SES S3 action with CSE encryption enabled + S3 SSE encryption disabled instead of
    2. SES S3 action with CSE encryption DISABLED + S3 SSE encryption ENABLED

(I'm not so much concerned with both SES encryption + S3 encryption)

  • Has this got to do with the transit of the email content between SES and S3 ? In what way could this be a risk, is this transfer not internal to AWS ?

Side Note

  1. Created a bucket and enabled encryption.
  2. Add a SESPut bucket policy to allow SES. https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html
  3. Configure SES S3 Rule to put email into said bucket, but during save I get error: "Could not write to bucket"
  4. Change bucket, remove encryption
  5. SES rule save now succeeds.

This could just be that another policy is needed somewhere, or is there something I'm missing about AWS encryption which explains why the above steps failed and why SES has client-side encryption as an option?

(I've asked this in a separate question: AWS SES - S3 Rule to write to bucket with bucket encryption fails)

1 Answer 1

0

To your question, if you had a shared bucket, and encrypted the emails with a key not available to the other people with access to the bucket, you could still store encrypted emails there without exposing them to the other people sharing the bucket.

1
  • Yes, that is one scenario, but not relevant in this context. I'll update the question. Thanks Commented Aug 7, 2018 at 14:34

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.