Should I use an AWS KMS managed key or a customer managed KMS key to encrypt my objects on Amazon S3?

Resolution

AWS Key Management Service (AWS KMS) manages the default aws/s3 AWS KMS key, but you have full control over a customer managed key.

Using the default aws/s3 KMS key

Note: The name of the KMS key is aws/s3 in the Amazon S3 console. However, don't specify that name or ID if you use the AWS Command Line Interface (AWS CLI).

Consider using the default aws/s3 KMS key if:

• You're uploading or accessing S3 objects using AWS Identity and Access Management (IAM) principals that are in the same AWS account as the AWS KMS key.
• You don't want to manage policies for the KMS key.

To encrypt an object using the default aws/s3 KMS key, define the encryption method as SSE-KMS during the upload, but don't specify a key:

aws s3 cp ./mytextfile.txt s3://DOC-EXAMPLE-BUCKET/ --sse aws:kms

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Using a customer managed key

Consider using a customer managed key if:

• You want to create, rotate, disable, or define access controls for the key.
• You want to grant cross-account access to your S3 objects. You can configure the policy of a customer managed key to allow access from another account.

To encrypt an object using a customer managed key, define the encryption method as SSE-KMS during the upload. Then, specify your customer managed key as the key (--sse-kms-key-id):

aws s3 cp ./mytextfile.txt s3://DOC-EXAMPLE-BUCKET/ --sse aws:kms --sse-kms-key-id testkey

To control access to your customer managed key, modify the key policy. For more information on how to create a key policy, see Creating a key policy.

Related information

Protecting data using server-side encryption

How Amazon Simple Storage Service (Amazon S3) uses AWS KMS