Is copying an S3 bucket from one AWS account to another AWS account secure in transit?

1
votes

I am looking to copy the contents of one S3 bucket to another S3 bucket in a different account. I found the following tutorial and tested it with non confidential files - https://medium.com/tensult/copy-s3-bucket-objects-across-aws-accounts-e46c15c4b9e1

I am wondering if any data that is transferred between accounts using this method is secure - as in encrypted in transit. Is it using AWS to do a direct copy or is it using the computer running the sync as the middle man - download to the computer then uploading to the destination bucket. I do have AES-256 (Use Server-Side Encryption with Amazon S3-Managed Keys) enabled on the source S3 bucket. I did see a recommendation about using AWS-KMS but it was not clear if that would do what I need. Just want to make sure the S3 transfer between one account to the other is secured!

2
amazon-web-servicesamazon-s3
as far as I know, S3 uses https, which encrypts the traffic stream using standard technology. I'd say the answer is yes.Jeremy

2 Answers

0
votes

When using the cp or sync commands, the objects are always copied "within S3". The objects are not downloaded and uploaded.

If you are copying data between buckets, and the buckets are in the same region then the traffic is totally within the AWS "backplane", so it never goes to the Internet or to a VPC. I believe that it is also encrypted while being copied.

If you are copying between regions, the data is encrypted as it travels across the AWS network between the regions. (Note: Data Transfer charges will apply.)

0
votes

As you're using the AWS CLI it will default to using HTTPS according to the documentation.

By default, the AWS CLI sends requests to AWS services by using HTTPS on TCP port 443. To use the AWS CLI successfully, you must be able to make outbound connections on TCP port 443.

You can also ensure that no plain text actions can be performed with the AWS CLI by utilizing the "aws:SecureTransport": "false" condition within a bucket policy.

Take a look at the What S3 bucket policy should I use to comply with the AWS Config rule s3-bucket-ssl-requests-only? documentation for an example bucket policy using this condition.