Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys
Amazon S3 Bucket Keys reduce the cost of Amazon S3 server-side encryption using AWS Key Management Service (SSE-KMS). This new bucket-level key for SSE can reduce AWS KMS request costs by up to 99 percent by decreasing the request traffic from Amazon S3 to AWS KMS. With a few clicks in the AWS Management Console, and without any changes to your client applications, you can configure your bucket to use an S3 Bucket Key for AWS KMS-based encryption on new objects.
S3 Bucket Keys for SSE-KMS
Workloads that access millions or billions of objects encrypted with SSE-KMS can generate large volumes of requests to AWS KMS. When you use SSE-KMS to protect your data without an S3 Bucket Key, Amazon S3 uses an individual AWS KMS data key for every object. It makes a call to AWS KMS every time a request is made against a KMS-encrypted object. For information about how SSE-KMS works, see Protecting Data Using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS).
When you configure your bucket to use an S3 Bucket Key for SSE-KMS, AWS KMS generates a bucket-level key that is used to create unique data keys for new objects that you add to the bucket. This S3 Bucket Key is used for a time-limited period within Amazon S3, reducing the need for Amazon S3 to make requests to AWS KMS to complete encryption operations. This reduces traffic from S3 to AWS KMS, allowing you to access AWS KMS-encrypted objects in S3 at a fraction of the previous cost.
When you configure an S3 Bucket Key, objects that are already in the bucket do not use the S3 Bucket Key. To configure an S3 Bucket Key for existing objects, you can use a COPY operation. For more information, see Configuring an S3 Bucket Key at the object level using the REST API, AWS SDKs, or AWS CLI.
Amazon S3 will only share an S3 Bucket Key for objects encrypted by the same AWS KMS customer master key (CMK).
Configuring S3 Bucket Keys
You can configure your bucket to use an S3 Bucket Key for SSE-KMS on new objects through the Amazon S3 console, AWS SDKs, AWS CLI, or REST API. You can also override the S3 Bucket Key configuration for specific objects in a bucket with an individual per-object KMS key using the REST API, AWS SDK, or AWS CLI. You can also view S3 Bucket Key settings.
Before you configure your bucket to use an S3 Bucket Key, review Changes to note before enabling an S3 Bucket Key.
Configuring an S3 Bucket Key using the Amazon S3 console
When you create a new bucket, you can configure your bucket to use an S3 Bucket Key for SSE-KMS on new objects. You can also configure an existing bucket to use an S3 Bucket Key for SSE-KMS on new objects by updating your bucket properties.
For more information, see Configuring your bucket to use an S3 Bucket Key with SSE-KMS for new objects.
REST API, AWS CLI, and AWS SDK support for S3 Bucket Keys
You can use the REST API, AWS CLI, or AWS SDK to configure your bucket to use an S3 Bucket Key for SSE-KMS on new objects. You can also enable an S3 Bucket Key at the object level.
For more information, see the following:
The following APIs support S3 Bucket Keys for SSE-KMS:
-
-
ServerSideEncryptionRuleaccepts theBucketKeyEnabledparameter for enabling and disabling an S3 Bucket Key.
-
-
-
ServerSideEncryptionRulereturns the settings forBucketKeyEnabled.
-
-
PutObject, CopyObject, CreateMutlipartUpload, and PostObject
-
x-amz-server-side-encryption-bucket-key-enabledrequest header enables or disables an S3 Bucket Key at the object level.
-
-
HeadObject, GetObject, UploadPartCopy, UploadPart, and CompleteMultipartUpload
-
x-amz-server-side-encryption-bucket-key-enabledresponse header indicates if an S3 Bucket Key is enabled or disabled for an object.
-
Working with AWS CloudFormation
In AWS CloudFormation, the AWS::S3::Bucket resource includes an encryption property
called BucketKeyEnabled that you can use to enable or disable an S3 Bucket Key.
For more information, see Using AWS CloudFormation.
Changes to note before enabling an S3 Bucket Key
Before you enable an S3 Bucket Key, please note the following related changes:
kms:Decrypt permissions for copy and
upload
To copy or upload objects with S3 Bucket Keys, the AWS KMS key policy for the CMK
must include
the kms:Decrypt permission for the calling principal.
When you enable an S3 Bucket Key, the AWS KMS key policy for the CMK must include
the
kms:Decrypt permission for the calling principal. If the calling principal is
in a different account than the AWS KMS CMK, you must also include kms:Decrypt
permission in the IAM policy. The call to kms:Decrypt verifies the integrity
of the S3 Bucket Key before using it.
You only need to include kms:Decrypt permissions in the key policy if you use a customer
managed AWS KMS CMK. If you enable an S3 Bucket Key for server-side encryption using
an AWS
managed CMK (aws/s3), your AWS KMS key policy already includes kms:Decrypt permissions.
IAM or KMS key policies
If your existing IAM policies or AWS KMS key policies use your object Amazon Resource Name (ARN) as the encryption context to refine or limit access to your AWS KMS CMKs, these policies won’t work with an S3 Bucket Key. S3 Bucket Keys use the bucket ARN as encryption context. Before you enable an S3 Bucket Key, update your IAM policies or AWS KMS key policies to use your bucket ARN as encryption context.
For more information about encryption context and S3 Bucket Keys, see Encryption context (x-amz-server-side-encryption-context).
AWS KMS CloudTrail events
After you enable an S3 Bucket Key, your AWS KMS CloudTrail events log your bucket ARN instead of your object ARN. Additionally, you see fewer KMS CloudTrail events for SSE-KMS objects in your logs. Because key material is time-limited in Amazon S3, fewer requests are made to AWS KMS.
Using an S3 Bucket Key with replication
You can use S3 Bucket Keys with Same-Region Replication (SRR) and Cross-Region Replication (CRR).
When Amazon S3 replicates an encrypted object, it generally preserves the encryption settings of the replica object in the destination bucket. However, if the source object is not encrypted and your destination bucket uses default encryption or an S3 Bucket Key, Amazon S3 encrypts the object with the destination bucket’s configuration.
To use replication with an S3 Bucket Key, the AWS KMS key policy for the CMK used
to
encrypt the object replica must include kms:Decrypt permissions for the calling
principal. The call to kms:Decrypt verifies the integrity of the S3 Bucket Key
before using it. For more information, see Using an S3 Bucket Key with replication. For more information about SSE-KMS and
S3 Bucket Key, see Amazon S3 Bucket Keys and replication.
The following examples illustrate how an S3 Bucket Key works with replication. For more information, see Replicating objects created with server-side encryption (SSE) using AWS KMS CMKs.
Example 1 – Source object uses S3 Bucket Keys, destination bucket uses default encryption
If your source object uses an S3 Bucket Key but your destination bucket uses default encryption with SSE-KMS, the replica object maintains its S3 Bucket Key encryption settings in the destination bucket. The destination bucket still uses default encryption with SSE-KMS.
Example 2 – Source object is not encrypted, destination bucket uses an S3 Bucket Key with SSE-KMS
If your source object is not encrypted and the destination bucket uses an S3 Bucket
Key with
SSE-KMS, the source object is encrypted with an S3 Bucket Key using SSE-KMS in the
destination
bucket. This results in the ETag of the source object being different from the
ETag of the replica object. You must update applications that use the
ETag to accommodate for this difference.
Working with S3 Bucket Keys
For more information about enabling and working with S3 Bucket Keys, see the following sections:
