decrypt objects that have been encrypted with a short-living bucket key

0

What are the steps that S3/KMS performs to de-crypt objects that have been encrypted with a short-living bucket key generated from a KMS key?

S3 Bucket keys are used for a time limited period within S3 reducing the need for S3 to make requests to AWS KMS to complete encryption operations. Being short-lived, I wonder what are the steps to decrypt? Do you need to interact with KMS everytime? I suppose that you don't GET a object that has just been PUT in a bucket..You might need that obj days later, or weeks or months, or even years later. I believe it's not clear from the documentation online: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html

profile pictureAWS
asked 5 months ago338 views
1 Answer
1
Accepted Answer

All the bucket keys generated for a given bucket are persisted in KMS-encrypted form in the bucket. When a given principal (or principal combined with their scoping policy, such as an IAM session policy) first accesses an object encrypted with a given bucket key, S3 calls KMS on behalf of the principal to decrypt the bucket key. S3 then uses the decrypted bucket key to derive the unique per-object data key for decrypting the object. S3 retains the plaintext bucket key for a limited amount of time. If the same principal/scoping policy combination accesses another object encrypted with the same bucket key, before S3 has removed the plaintext copy of the bucket key from memory, S3 will derive the data key for the second object from the plaintext bucket key it already has in memory -- without having to call kms:Decrypt. That's where the bulk of the cost savings come from for decrypt operations.

In short, kms:Decrypt should normally only get called when the plaintext bucket key hasn't been accessed by the same principal/scoping policy combination within the limited time window S3 keeps the plaintext key in memory, as worded on the documentation page you linked to. After that time window has elapsed, or if the request is made by a different principal, S3 calls kms:Decrypt to decrypt the KMS-encrypted bucket key, which is persisted in your bucket.

EXPERT
Leo K
answered 5 months ago
profile picture
EXPERT
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions