How Amazon Simple Storage Service (Amazon S3) uses AWS KMS - AWS Key Management Service

How Amazon Simple Storage Service (Amazon S3) uses AWS KMS

Amazon Simple Storage Service (Amazon S3) is an object storage service that stores data as objects within buckets. Buckets and the objects in them are private and can be accessed only if you explicitly grant access permissions.

Amazon S3 integrates with AWS Key Management Service (AWS KMS) to provide server-side encryption of Amazon S3 objects. Amazon S3 uses AWS KMS keys to encrypt your Amazon S3 objects. The encryption keys that protect your objects never leave AWS KMS unencrypted. This integration also enables you to set permissions on the AWS KMS key and audit the operations that generate, encrypt, and decrypt the data keys that protect your secrets.

To reduce the volume of Amazon S3 calls to AWS KMS, use Amazon S3 bucket keys, which are KMS key-protected key-encryption-keys that are reused for a limited time within Amazon S3. Bucket keys can reduce costs for AWS KMS requests by up to 99 percent. You can configure a bucket key for all objects in an Amazon S3 bucket, or for a particular object in an Amazon S3 bucket.

For more information about how Amazon S3 uses AWS KMS, see Protecting data using server-side encryption with KMS keys (SSE-KMS) in the Amazon S3 User Guide.