Should I use an AWS KMS managed key or a customer managed KMS key to encrypt my objects on Amazon S3?

2 minute read
1

I want to use server-side encryption with AWS Key Management Service (SSE-KMS) for my objects stored on Amazon Simple Storage Service (Amazon S3). Should I use a customer managed AWS KMS key or the AWS KMS managed key called aws/s3?

Resolution

AWS KMS manages the default aws/s3 KMS key, but you have full control over a customer managed key.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Use the default aws/s3 KMS key

Use the default aws/s3 KMS key if:

  • You're uploading or accessing S3 objects using AWS Identity and Access Management (IAM) principals that are in the same AWS account as the KMS key.
  • You don't want to manage policies for the KMS key.

To encrypt an object using the default aws/s3 KMS key, define the encryption method as SSE-KMS during the upload, but don't specify a key:

aws s3 cp ./mytextfile.txt s3://DOC-EXAMPLE-BUCKET/ --sse aws:kms

Use a customer managed key

Use a customer managed key if:

  • You want to create, rotate, disable, or define access controls for the key.
  • You want to grant cross-account access to your S3 objects. You can configure the policy of a customer managed key to allow access from another account.

To encrypt an object using a customer managed key, define the encryption method as SSE-KMS during the upload. Then, specify your customer managed key as the key (--sse-kms-key-id):

aws s3 cp ./mytextfile.txt s3://DOC-EXAMPLE-BUCKET/ --sse aws:kms --sse-kms-key-id testkey

To control access to your customer managed key, modify the key policy. For more information, see Creating a key policy.

Related information

Protecting data with server-side encryption

How Amazon Simple Storage Service (Amazon S3) uses AWS KMS

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago