Amazon S3 has introduced a new encryption option called DSSE-KMS (Amazon S3 dual-layer server-side encryption with keys stored in AWS Key Management Service). This feature applies two layers of encryption to objects uploaded to an Amazon S3 bucket. DSSE-KMS is designed to meet FIPS compliance and Data-at-Rest Capability Package (DAR CP) Version 5.0 guidance for two layers of CNSA encryption, making it suitable for highly regulated customers, including the US Department of Defense (DoD).
With DSSE-KMS, you can enable dual-layer server-side encryption for individual objects during upload or configure your S3 bucket to apply DSSE to all new objects by default. You can also enforce DSSE-KMS using IAM and bucket policies. Each layer of encryption uses a separate cryptographic implementation library with individual data encryption keys, providing an added layer of security against potential vulnerabilities.
DSSE-KMS simplifies the process of applying two layers of encryption without requiring additional infrastructure for client-side encryption. Each layer of encryption uses a different implementation of the Advanced Encryption Standard with Galois Counter Mode (AES-GCM) algorithm. DSSE-KMS leverages AWS Key Management Service (AWS KMS) to generate data keys, allowing you to control and manage your customer managed keys, including permissions and key rotation schedules. Additionally, you can query and analyze your dual-encrypted data with various AWS services such as Amazon Athena and Amazon SageMaker.
Amazon S3 now offers four options for server-side encryption:
- Server-side encryption with Amazon S3 managed keys (SSE-S3)
- Server-side encryption with AWS KMS (SSE-KMS)
- Server-side encryption with customer-provided encryption keys (SSE-C)
- Dual-layer server-side encryption with keys stored in KMS (DSSE-KMS)
To enable DSSE-KMS, you can create a new bucket in the Amazon S3 console, choose DSSE-KMS as the encryption option under the Default encryption section, select a suitable AWS KMS key, and complete the bucket creation process.
When uploading an object to the DSSE-KMS enabled S3 bucket, you can choose not to specify an encryption key, and the object will inherit the server-side encryption settings from the bucket.
To download a DSSE-KMS encrypted object from the S3 bucket, simply select the object and choose the download option. The object will be automatically decrypted locally without requiring any changes to client applications.
DSSE-KMS is available in all AWS Regions, and you can start using it through the AWS CLI or AWS Management Console. For more details and pricing information, refer to the Amazon S3 User Guide and the AWS S3 pricing page.