Amazon Key Management Service (KMS) keys can now be used for server-side encryption with Amazon S3 Express One Zone, a high-performance, single-Availability Zone (AZ) S3 storage class (SSE-KMS). All items kept in S3 directory buckets are already encrypted by default by S3 Express One Zone using Amazon S3 management keys (SSE-S3). As of right now, data at rest can be encrypted using AWS KMS customer managed keys without affecting speed. With the help of this new encryption feature, you may use S3 Express One Zone which is intended to provide reliable single-digit millisecond data access for your most frequently accessed data and latency-sensitive applications to further satisfy compliance and regulatory standards.
For SSE-KMS encryption, S3 directory buckets let you define a single customer controlled key per bucket. You cannot change it to use a different key once the customer managed key has been inserted. Conversely, S3 general purpose buckets allow you to use several KMS keys during S3 PUT requests or by modifying the bucket’s default encryption configuration. S3 Bucket Keys are always enabled when utilizing SSE-KMS with S3 Express One Zone. Free S3 bucket keys can minimize AWS KMS queries by up to 99%, improving efficiency and lowering expenses.
Utilizing Amazon S3 Express One Zone with SSE-KMS
First construct an S3 directory bucket in the Amazon S3 console by following the instructions, and you can use apne1-az4 as the Availability Zone, to demonstrate this new functionality to you. To construct the final name, you automatically add the Availability Zone ID to the suffix you enter in the Base name, which is s3express-kms. Then confirm that Data is stored in a single Availability Zone by checking the corresponding checkbox.
Select Server-side encryption using AWS Key Management Service keys (SSE-KMS) under the Default encryption option. You have three options under AWS KMS Key: Create a KMS key, Enter AWS KMS key ARN, or Select from your AWS KMS keys. In this case, you choose to Create bucket after choosing from a list of previously established AWS KMS keys.
You can now automatically encrypt any new object you upload to this S3 directory bucket using my Amazon KMS key.
SSE-KMS in operation with Amazon S3 Express One Zone
You require an AWS Identity and Access Management (IAM) user or role with the following policy in order to use SSE-KMS with S3 Express One Zone using the AWS Command Line Interface (AWS CLI). In order to successfully upload and receive encrypted data to and from your S3 directory bucket, this policy permits the CreateSession API function.
Using the HeadObject command to examine the object’s properties, you can see that it is encrypted using SSE-KMS and my previously generated key:
You can use GetObject to download the encrypted object:
The object downloads and decrypts itself because your session has the required rights.
Use a separate IAM user with a policy who isn’t allowed the required KMS key rights to download the item for this second test. The SSE-KMS encryption is operating as planned, as seen by the AccessDenied error that occurs during this attempt.
Important information
Beginning the process The AWS SDKs, AWS CLI, or the Amazon S3 console can all be used to enable SSE-KMS for S3 Express One Zone. Assign your AWS KMS key and change the S3 directory bucket’s default encryption option to SSE-KMS. Recall that over the lifespan of an S3 directory bucket, only one customer controlled key may be used.
Regions: Every AWS Region where S3 Express One Zone is presently offered offers support for SSE-KMS utilizing customer-managed keys.
Performance: Request latency is unaffected by using SSE-KMS with S3 Express One Zone. The same single-digit millisecond data access will be available to you.
Pricing: To generate and recover data keys used for encryption and decryption, you must pay AWS KMS fees. For additional information, see the pricing page for AWS KMS. Furthermore, S3 Bucket Keys are enabled by default for all data plane operations aside from CopyObject and UploadPartCopy when utilizing SSE-KMS with S3 Express One Zone, and they cannot be removed. By doing this, AWS KMS request volume is lowered by up to 99%, improving both performance and cost-effectiveness.
