- Newest
- Most votes
- Most comments
All the bucket keys generated for a given bucket are persisted in KMS-encrypted form in the bucket. When a given principal (or principal combined with their scoping policy, such as an IAM session policy) first accesses an object encrypted with a given bucket key, S3 calls KMS on behalf of the principal to decrypt the bucket key. S3 then uses the decrypted bucket key to derive the unique per-object data key for decrypting the object. S3 retains the plaintext bucket key for a limited amount of time. If the same principal/scoping policy combination accesses another object encrypted with the same bucket key, before S3 has removed the plaintext copy of the bucket key from memory, S3 will derive the data key for the second object from the plaintext bucket key it already has in memory -- without having to call kms:Decrypt. That's where the bulk of the cost savings come from for decrypt operations.
In short, kms:Decrypt should normally only get called when the plaintext bucket key hasn't been accessed by the same principal/scoping policy combination within the limited time window S3 keeps the plaintext key in memory, as worded on the documentation page you linked to. After that time window has elapsed, or if the request is made by a different principal, S3 calls kms:Decrypt to decrypt the KMS-encrypted bucket key, which is persisted in your bucket.
Relevant content
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago