Enabling server-side encryption on AWS S3 and Open edX

Posted by Aayush Agrawal on May 18, 2021
s3-encryption

This blog post shows how to enable encryption at rest for Amazon S3 Object Storage used by your Open edX instance. When you use server-side encryption, Amazon S3 encrypts an object before saving it to a disk, and decrypts it when you download it again.

The first question is Why would you want to do this? The most important reason is privacy, as data uploaded to S3 buckets can contain personally identifiable information, such as the learner's email address in grade reports. Also keep in mind that you might be required to do this by GDPR and other privacy-focused laws.

Enabling S3 encryption on AWS: How-To

The first step is to set up an encrypted AWS S3 bucket for your Open edX instance. For the sake of simplicity, I’d recommend using SSE-S3 encryption, as AWS will manage the encryption key for you. It will use a single key for all objects, which is encrypted itself with a master key that is frequently rotated for increased security. You’ll have two choices here:

Creating an encrypted bucket

If you are just starting or testing this setup, you can create an encrypted bucket and switch your instance configuration to use this bucket.

Simply navigate to https://s3.console.aws.amazon.com/s3/bucket/create to create a new bucket. Make sure to enable Server-side encryption.

Enabling encryption in an existing bucket

If you already have a running instance with an existing bucket, all you need to do is enable encryption for the bucket.

Just navigate to https://s3.console.aws.amazon.com/s3/buckets/ where you’ll be able to find the bucket you want to modify. Click on the bucket link and navigate to the “Properties” tab, where you’ll find encryption settings. Here, you just need to click the “Edit” button and select “Enable”.

Configuring Open edX

Now that the bucket encryption is enabled, we must make sure Open edX can properly use it. Under the hood, your instance will be using Boto3 to communicate with AWS S3.

Enabling AWS S3 Encryption

 You need to modify your settings to enable S3 encryption. You’ll have to change both your /edx/etc/lms.yml and /edx/etc/studio.yml to use the following settings.

   AWS_S3_ENCRYPTION: true
   AWS_S3_REGION_NAME: 'us-east-1'
   AWS_S3_SIGNATURE_VERSION: 's3v4'
   DEFAULT_FILE_STORAGE: 'storages.backends.s3boto3.S3Boto3Storage'

While REGION_NAME and SIGNATURE_VERSION aren’t strictly required, they are big sources of issues when running this setup. If you encounter permission issues, make sure these are correct in your settings.

Configuring Studio export bucket

Next, ensure your bucket name is correct. If you decide to use a different bucket for course exports, make sure to enable encryption on AWS for this as well.

   IMPORT_EXPORT_BUCKET: 'opencraft-example-bucket'

Configuring Grade reports downloads

Again, these settings need to be applied to both lms.yml and studio.yml.

   GRADES_DOWNLOAD:
     BUCKET: 'opencraft-example-bucket'
     ROOT_PATH: 'reports/grade'
     STORAGE_CLASS: 'storages.backends.s3boto3.S3Boto3Storage'
     STORAGE_KWARGS:
       default_acl: 'public-read'
       location: 'grades-download'
     STORAGE_TYPE: 's3'

S3Boto3Storage.location cannot begin with a leading slash (gotcha)

If you get the above error message after migrating from the local filesystem storage, you’ll have to modify the location to remove the leading slash, for example:

   VIDEO_TRANSCRIPTS_SETTINGS:
     DIRECTORY_PREFIX: video-transcripts/
     STORAGE_KWARGS:
       base_url: /media/
       location: media/ # Was /media/ before

Testing

After the setup is complete, you’ll have to test the settings to ensure that it works correctly. Obvious tests are course exports, grade report downloads, checking video transcripts, etc.

I would recommend that you use Opencraft’s Instance Test Checklist to make sure no functionalities are broken.

This checklist was developed to ensure our instances are fully operational after release upgrades, large configuration changes, and others.

I hope this helps you get peace of mind, knowing your users’ personally identifiable information is now safely encrypted in Amazon servers.

If you’re serious about your Open edX instance’s security and would like an extra pair of eyes, you can reach out to us at OpenCraft to help maintain and/or secure your Open edX instance!

Photo by Alex MotocHire on Unsplash

Latest Posts
June 6, 2024
Catch OpenCraft at the Open edX Conference 2024
Cassie Zamparini
No Comments

This year, the Open edX Conference will be held from July 2 – 5, 2024 in Stellenbosch, South Africa. I’m […]

Read More
September 18, 2023
What is the Impact of AI in the Online Learning Space?
Fox Piacenti
No Comments

The arrival of new AI technology has sent the world of online education abuzz. The new technologies have brought new […]

Read More
July 3, 2023
June 2023: OpenCraft Quarterly Catch Up
Cassie Zamparini
No Comments

Open edX presents Content Tagging! "Tagging" has been a long-requested feature for managing content in Studio, and now OpenCraft is finally designing and […]

Read More

We deliver top-notch learning solutions.

We’re an elite team of designers and developers, who love creating quality learning management solutions. Let’s chat about your latest project.
Get in touch

Get in touch

We'd love to hear from you! Send us a message and a member of our team will get back to you.
Contact us
Subscribe to our newsletter
© OpenCraft 2024
edX and Open edX® are trademarks of edX Inc
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram