Secure Data Sharing with Attribute-Based Encryption in AWS

Use Case: Organizations (e.g., healthcare, finance, education) need to share sensitive data across multiple stakeholders (patients, doctors, insurers, researchers, etc.) without compromising privacy. Traditional encryption only allows access if the user has the key, but with Attribute-Based Encryption (ABE), access is granted based on user attributes (role, department, region).

Enable fine-grained access control to sensitive data stored in AWS.

Prevent unauthorized access while ensuring legitimate users can still collaborate.

Provide scalable encryption and decryption mechanisms without manually sharing keys.

The project implements a cloud-based secure data sharing framework using Attribute-Based Encryption (ABE). Data is encrypted before uploading to AWS storage, and only users whose attributes match the defined policies can decrypt it.
Steps :

Users upload encrypted files (with ABE policy embedded) to AWS S3.

AWS Lambda or EC2 enforces attribute-based policies for decryption requests.

Identity and Access Management (IAM) with Amazon Cognito validates user attributes.

Only eligible users receive the decryption key (via AWS KMS or custom key authority).

Access attempts, successes, and failures are monitored with CloudWatch and CloudTrail.

AWS Service	Purpose in Project
Amazon S3	Store encrypted data files securely.
AWS KMS (Key Management Service)	Manage encryption/decryption keys and policies.
AWS Lambda	Act as a lightweight serverless function to enforce decryption policies.
Amazon Cognito	Manage user authentication and assign attributes (roles, departments, etc.).
AWS IAM	Define fine-grained access control and attribute-based policies.
Amazon EC2	Run custom ABE encryption/decryption libraries if Lambda is insufficient.
AWS CloudWatch	Monitor access latency, policy evaluation time, and system health.
AWS CloudTrail	Track audit logs of who accessed or tried to access encrypted data.

Related Links