Specifying the AWS Key Management Service in Amazon S3 Using the AWS SDKs - Amazon Simple Storage Service

Specifying the AWS Key Management Service in Amazon S3 Using the AWS SDKs

When using AWS SDKs, you can request Amazon S3 to use AWS Key Management Service (AWS KMS) customer master keys (CMKs). This section provides examples of using the AWS SDKs for Java and .NET. For information about other SDKs, go to Sample Code and Libraries.

Important

When you use an AWS KMS CMK for server-side encryption in Amazon S3, you must choose a symmetric CMK. Amazon S3 only supports symmetric CMKs and not asymmetric CMKs. For more information, see Using Symmetric and Asymmetric Keys in the AWS Key Management Service Developer Guide.

AWS SDK for Java

This section explains various Amazon S3 operations using the AWS SDK for Java and how you use the AWS KMS CMKs.

Put Operation

When uploading an object using the AWS SDK for Java, you can request Amazon S3 to use an AWS KMS CMK by adding the SSEAwsKeyManagementParams property as shown in the following request.

PutObjectRequest putRequest = new PutObjectRequest(bucketName, keyName, file).withSSEAwsKeyManagementParams(new SSEAwsKeyManagementParams());

In this case, Amazon S3 uses the AWS managed CMK (see Using Server-Side Encryption with CMKs Stored in AWS KMS ). You can optionally create a symmetric customer managed CMK and specify that in the request.

PutObjectRequest putRequest = new PutObjectRequest(bucketName, keyName, file).withSSEAwsKeyManagementParams(new SSEAwsKeyManagementParams(keyID));

For more information about creating customer managed CMKs, see Programming the AWS KMS API in the AWS Key Management Service Developer Guide.

For working code examples of uploading an object, see the following topics. You will need to update those code examples and provide encryption information as shown in the preceding code fragment.

Copy Operation

When copying objects, you add the same request properties (ServerSideEncryptionMethod and ServerSideEncryptionKeyManagementServiceKeyId) to request Amazon S3 to use an AWS KMS CMK. For more information about copying objects, see Copying objects.

Presigned URLs

When creating a presigned URL for an object encrypted using an AWS KMS CMK, you must explicitly specify Signature Version 4.

ClientConfiguration clientConfiguration = new ClientConfiguration(); clientConfiguration.setSignerOverride("AWSS3V4SignerType"); AmazonS3Client s3client = new AmazonS3Client( new ProfileCredentialsProvider(), clientConfiguration); ...

For a code example, see Generate a presigned object URL using the AWS SDK for Java.

AWS SDK for .NET

This section explains various Amazon S3 operations using the AWS SDK for .NET and how you use the AWS KMS CMKs.

Put Operation

When uploading an object using the AWS SDK for .NET, you can request Amazon S3 to use an AWS KMS CMK by adding the ServerSideEncryptionMethod property as shown in the following request.

PutObjectRequest putRequest = new PutObjectRequest { BucketName = bucketName, Key = keyName, // other properties. ServerSideEncryptionMethod = ServerSideEncryptionMethod.AWSKMS };

In this case, Amazon S3 uses the AWS managed CMK. For more information, see Protecting Data Using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS). You can optionally create your own symmetric customer managed CMK and specify that in the request.

PutObjectRequest putRequest1 = new PutObjectRequest { BucketName = bucketName, Key = keyName, // other properties. ServerSideEncryptionMethod = ServerSideEncryptionMethod.AWSKMS, ServerSideEncryptionKeyManagementServiceKeyId = keyId };

For more information about creating customer managed CMKs, see Programming the AWS KMS API in the AWS Key Management Service Developer Guide.

For working code examples of uploading an object, see the following topics. You will need to update these code examples and provide encryption information as shown in the preceding code fragment.

Copy Operation

When copying objects, you add the same request properties (ServerSideEncryptionMethod and ServerSideEncryptionKeyManagementServiceKeyId) to request Amazon S3 to use an AWS KMS CMK. For more information about copying objects, see Copying objects.

Presigned URLs

When creating a presigned URL for an object encrypted using an AWS KMS CMK, you must explicitly specify Signature Version 4.

AWSConfigs.S3Config.UseSignatureVersion4 = true;

For a code example, see Generate a presigned object URL using AWS SDK for .NET.