Enabling server-side encryption for an Amazon S3 bucket - Amazon Chime SDK
Using an Amazon S3 managed keyUsing a key that you own

Enabling server-side encryption for an Amazon S3 bucket

To enable server-side encryption for an Amazon Simple Storage Service (Amazon S3) bucket, you can use these types of encryption keys:

  • An Amazon S3 managed key

  • A customer managed key in the AWS Key Management Service (KMS)

    Note

    The Key Management Service supports two types of keys, customer managed keys and AWS managed keys. Amazon Chime SDK meetings only support customer managed keys.

Using an Amazon S3 managed key

You use the Amazon S3 console, CLI, or REST API to enable server-side encryption for an Amazon S3 bucket. In both cases, choose Amazon S3 Key as encryption key type. No further action is needed. When you use the bucket for media capture, the artifacts are uploaded and encrypted on server side. For more information, refer to Specifying Amazon S3 encryption in the Amazon S3 User Guide.

Using a key that you own

To enable encryption with a key that you manage, you need to enable the Amazon S3 bucket’s server side encryption with a Customer Managed Key, then add a statement to the key policy that allows Amazon Chime to use the key and encrypt any uploaded artifacts.

  1. Create a Customer Managed Key in KMS. For information about doing so, see Specifying server-side encryption with AWS KMS (SSE-KMS) in the Amazon S3 User Guide.

  2. Add a statement to the key policy that allows the GenerateDataKey action to generate a key for use by the Amazon Chime SDK service principal, mediapipelines.chime.amazonaws.com.

    This example shows a typical statement.

    ...
{
    "Sid": "MediaPipelineSSEKMS",
    "Effect": "Allow",
    "Principal": {
        "Service": "mediapipelines.chime.amazonaws.com"
    },
    "Action": "kms:GenerateDataKey",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
           "aws:SourceAccount": "Account_Id"
        },
        "ArnLike": {
            "aws:SourceArn": "arn:aws:chime:*:Account_Id:*"
        }
    }
}
...

  3. If you use a media concatenation pipeline, add a statement to the key policy that allows the Amazon Chime SDK service principal, mediapipelines.chime.amazonaws.com, to use the kms:Decrypt action.

  4. Configure the Amazon S3 bucket to enable server side encryption with the key.