- Newest
- Most votes
- Most comments
Yes, that would mean that the old KMS key is used to decrypt the data related to your Glue catalog that were encrypted earlier with the old KMS key. When you switched Glue to use the new KMS key, it started to use it to encrypt all data it has been writing since the change, while all previously encrypted data remains encrypted with the old key.
In the CloudTrail event's requestParameters
field you can see the context in which request was made. If you're using the KMS key for SSE-KMS encryption, the encryptionContext
field inside requestParameters will show either the ARN of the bucket (if the KMS key is used for bucket key encryption) or the object being decrypted (if bucket keys aren't used).
I was confused about one thing! my understanding is that if we even use SSE-S3 in s3 and use aws-managed key in Glue, we need to pay for decrypt requests. Because if we refer to AWS kms pricing: 'While you are not charged for creation and storage of AWS-managed keys, you will be charged on any API request made to AWS-managed keys.' So, price would be the same as before. for Decryption and also Encryption requests! (the price would be different in terms of 1$ per key in a month and rotation cost). am I correct?
Your summary of the pricing is correct. API calls to KMS are charged either way, and the only cost difference between AWS-managed and customer-managed keys is the fixed $1/mo per key + $1/mo per time the key has ever been rotated for the first two rotations.
Relevant content
- asked 4 months ago
- asked 4 months ago
- Accepted Answerasked 6 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
So you're saying that if the query is for data encrypted with the new key, we won't see decrypt events with the old key for glue anymore?
Yes, correct. As soon as you've configured Glue, S3, or another resource to use a new KMS key, only the new will be used to encrypt new or modified data.
you said that: while all previously encrypted data remains encrypted with the old key. so how we can access to this old data in consumer account? do we need re create the tables?
I had the same issue. For me updating the table description after switching the encryption to a customer managed key was sufficient to get the metadata encrypted with the new key.