Should I use an AWS KMS managed key or a customer managed AWS KMS key to encrypt my objects in Amazon S3?
I use AWS Key Management Service (AWS KMS). I want to use server-side encryption with AWS KMS (SSE-KMS) for my objects stored on Amazon Simple Storage Service (Amazon S3). I need to decide whether to use a customer managed AWS KMS key or the aws/s3 AWS KMS managed key.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Choose a key based on the degree of control that you need. AWS KMS manages the default aws/s3 AWS KMS key for you, but you have full control over a customer managed key.
When to use the default aws/s3 KMS key
Use the default aws/s3 KMS key in the following scenarios:
- You use AWS Identity and Access Management (IAM) principals for S3 objects that are in the same AWS account as the AWS KMS key.
- You don't want to manage policies for the AWS KMS key.
To use the aws/s3 AWS KMS key to encrypt an object, define the encryption method as SSE-KMS during the upload, but don't specify a key. Run the following cp AWS CLI command:
aws s3 cp ./mytextfile.txt s3://DOC-EXAMPLE-BUCKET/ --sse aws:kms
Note: Replace DOC-EXAMPLE-BUCKET with your S3 bucket name.
When to use a customer managed key
Use a customer managed key in the following scenarios:
- You want to create, rotate, deactivate, or define access controls for the key.
- You want to grant cross-account access to your S3 objects.
Note: You can configure the policy of a customer managed key to allow access from another account.
To use a customer managed key to encrypt an object, define the encryption method as SSE-KMS during the upload. Also, specify your customer managed key as the key (--sse-kms-key-id). Run the following command cp command:
aws s3 cp ./mytextfile.txt s3://DOC-EXAMPLE-BUCKET/ --sse aws:kms --sse-kms-key-id testkey
Note: Replace mytextfile.txt with the name of your file and DOC-EXAMPLE-BUCKET with your Amazon S3 bucket name and testkey with your key ID.
To control access to your customer managed key, modify the key policy. For more information, see Creating a key policy.
When to use SSE-S3 encryption
You can use Amazon S3 managed keys (SSE-S3) encryption instead of AWS KMS encryption. AWS KMS encryption offers robust security controls, but you must use the default SSE-S3 encryption in the following scenarios:
- When you designate a bucket as the destination for Amazon S3 server access logging, you must use SSE-S3 encryption.
Note: You can't use AWS KMS encryption for server access log destination buckets. - For Amazon S3 batch operation job reports, Amazon S3 encrypts completion reports with SSE-S3 encryption.
- Objects that require anonymous public access (public read) must use SSE-S3 encryption instead of AWS KMS encryption. For more information, see How do I troubleshoot the error "Requests require AWS Signature Version 4" when I try to access Amazon S3 objects that are encrypted with AWS KMS managed keys?
Related information
- Topics
- Storage
- Language
- English
Worth noting that in the cases where a customer managed key isn't appropriate, the default SSE-S3 encryption is likely to be the right choice.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
