2 Answers
- Newest
- Most votes
- Most comments
3
If it's affordable for you, you can try copy data to a new location with re-encryption. Use an S3 batch operation or an AWS Glue job to copy the data to a new location and re-encrypt it using the new customer-managed KMS key.
Example S3 Batch Operation:
- Create a manifest file listing all the objects to be re-encrypted.
- Use S3 Batch Operations to copy each object to the same location with the new encryption key.
- Update Data Catalog Settings. Ensure that the Glue Data Catalog is updated to reflect the new encryption settings.
-1
And to confirm, yes, you are correct in what you said, @gh-v. If your data in S3 is encrypted with the AWS-managed KMS key for S3, there's no way for another AWS account to access the encrypted objects via S3's APIs, unless you re-encrypt them first.
Relevant content
- asked a year ago
- asked 3 months ago
- Accepted Answerasked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago