Amazon S3 and AWS KMS: Optimizing Server-Side Encryption with S3 Bucket Keys (SSE-KMS)

Amazon Web Services
Written By Khalid Bencherifa

Server-side encryption with AWS KMS keys (SSE-KMS) enhances data security in Amazon S3 by using AWS Key Management Service (KMS) to manage encryption keys. This provides an extra layer of protection for sensitive data stored in S3 buckets.

How SSE-KMS Works:

  • Each object is encrypted with a unique data key, which is then encrypted with a KMS key, a process known as envelope encryption.

  • While SSE-KMS strengthens security, it can result in high costs for workloads accessing millions or billions of encrypted objects due to the large volume of AWS KMS requests.

S3 Bucket Keys:

To reduce costs, Amazon S3 introduced S3 Bucket Keys, which decrease request traffic between Amazon S3 and AWS KMS by up to 99%.

How S3 Bucket Keys Work:

  • S3 Bucket Keys generate a short-lived bucket-level key from AWS KMS.

  • This bucket-level key is temporarily stored in S3 and used to create data keys for new objects during its lifecycle.

  • The use of bucket-level keys reduces the frequency of requests made to AWS KMS, minimizing costs while maintaining encryption.

Example:

Without S3 Bucket Keys, each request for an encrypted object would require a call to AWS KMS. With S3 Bucket Keys enabled, the bucket-level key is used to encrypt and decrypt objects, greatly reducing the number of AWS KMS calls.

Implementation:

  • Enabling S3 Bucket Keys: You can enable S3 Bucket Keys when creating a new bucket or configure it for existing buckets via the Amazon S3 console, AWS SDKs, AWS CLI, or REST API.

  • Impact on Existing Objects: Enabling S3 Bucket Keys affects new objects uploaded to the bucket. To apply them to existing objects, a COPY operation is required.

  • Encryption Context: When using S3 Bucket Keys, the encryption context changes from the object ARN to the bucket ARN, potentially requiring updates to your IAM or AWS KMS key policies.

  • Compatibility: S3 Bucket Keys are compatible with Same-Region Replication (SRR) and Cross-Region Replication (CRR), preserving encryption settings during replication.

Conclusion:

S3 Bucket Keys provide a cost-effective solution for implementing server-side encryption with AWS KMS keys. By reducing API calls to AWS KMS, they maintain robust security while optimizing costs for large-scale operations involving millions of encrypted objects.

Links:

For further reading, refer to the following AWS documentation:

Khalid Bencherifa
Previous

Migrating Databases to Amazon RDS for SQL Server with Cross-Region Automated Backups and Point-in-Time Recovery
Next

Amazon RDS and CloudWatch: Preventing and Resolving Storage Issues