AWS KMS keys for encrypting data before uploading to Amazon S3 Glacier

Question

I'm required to use an AWS KMS key for encrypting data in Amazon S3 Glacier. However, the AWS KMS encryption with customer-owned keys isn't directly supported in S3 Glacier. I want to use client-side encryption of the data (and encrypt the data before uploading it to Amazon S3 Glacier). Can I use the AWS KMS key for client-side encryption (for data outside of AWS)? Or, do I have to use an AWS SDK to encrypt the data with an AWS KMS key?

Accepted Answer

You can use the [Amazon S3 client-side encryption](https://docs.aws.amazon.com/general/latest/gr/aws_sdk_cryptography.html) to encrypt the data before sending it to S3. Amazon S3 client-side encryption supports AWS KMS as the root key provider. However, it's recommended to use the [AWS Encryption SDK](https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html) as it offers more features while supporting AWS KMS.

To enable client-side encryption, you have the following options:
* Use an AWS KMS key stored in AWS Key Management Service (AWS KMS).
* Use a key that you store within your application.

For more information, you can also take a look at these AWS Blogs posts:
* https://aws.amazon.com/blogs/security/how-to-use-the-new-aws-encryption-sdk-to-simplify-data-encryption-and-improve-application-availability/
* https://aws.amazon.com/blogs/security/how-to-decrypt-ciphertexts-multiple-regions-aws-encryption-sdk-in-c/

AWS KMS keys for encrypting data before uploading to Amazon S3 Glacier

Contenido relevante