Enable bucket key with SSE-S3

0

Hello,

I would like to understand the goal of enabling "Bucket key" with SSE-S3 encryption type ? For me, bucket key is used only with encryption type SSE-KMS so less calls to KMS are made. But what is the purpose of enabling it with SSE-S3 ?

Regards

Mehmet
demandé il y a 8 mois509 vues
4 réponses
1

SSE-S3 v/s SSE-KMS:

SSE-S3 provides you the encryption feature on s3 objects at rest and all the objects inside SSE-S3 encrypted bucket would be accessible to anyone who has access to that bucket/underlying objects. SSE-S3 serves the purpose if someone asks you, is your data is encrypted at rest or not, then you can say, yes it's encrypted at rest by s3 backend infrastructure. Hypothetically, you can understand it this way, that if anyone got access to AWS data center and eventually the hard drive where your s3 data is rested, he/she will not be able to read it until he can decipher the key used for that data encryption. You as an end user, don't need to deal with any of the encryption process at all.

On the other hand, with SSE-KMS, access to an s3 object not only would require s3 object access but also the encryption key (SSE-KMS CMK via AWS KMS) access too. Encryption process would be handled by AWS KMS, where encrypted data key is used for encryption/decryption process and data key never leaves KMS.

If you want to have an extra permission layer on your s3 bucket objects, then you must go with SSE-KMS however keep in mind that this option incur additional KMS cost as every time when you'd access an s3 object, KMS API would also be called.

Edit: Keeping bucket key enabled or disabled won't make any difference as it's essentially a concept for SSE-KMS. Keeping bucket key enabled for SSE-KMS reduce the overall KMS cost substantially as KMS API calls request gets reduced marginally by up to 99% but that won't be the case for SSE-S# as in case of SSE-S3, AWS KMS doesn't come in to the picture for user. For more details, please refer AWS Documentation.

Hope this helps, comment here if you have additional questions.

Abhishek

profile pictureAWS
EXPERT
répondu il y a 8 mois
  • Hi, thank you for your help, as I have stated above, my question was misunderstood. My question is actually this : "What is the purpose of enabling bucket key when you choose to use SSE-S3"

  • Hi Mehmet,

    I got your question, so the answer is, with SSE-S3, keeping bucket key enabled or disabled won't make any difference as it's essentially a concept for SSE-KMS. Keeping bucket key enabled for SSE-KMS reduce the overall KSM cost substantially as KMS API calls request gets reduced marginally by up to 99%. I've added this clarification in my answer as well. For more details, please refer AWS Documentation.

0

Hi

SSE-S3 can be used where you are just looking for encryption for your data at rest. It is baked into the Amazon S3 service which manages the encryption and decryption of your objects. The encryption keys are handled and managed by AWS [internally].

On the other hand, SSE-KMS is recommended when you need both encryption and you want to manage the keys centrally and define the key usage through policies [additional layer of security]. Also, there is an associated cost with KMS, namely for customer managed keys and API calls.

I hope this clarifies.

Thanks

profile pictureAWS
EXPERT
répondu il y a 8 mois
  • Thank you for your clarification. My concern is not about the difference between SSE-S3 versus SSE-KMS but more about the need to enable "Bucket key" when you choose to use SSE-S3 ? My question in first place might not be clear, sorry for that

0

To add to the previous response:

  1. When you configure your bucket to use an S3 Bucket Key for SSE-KMS, AWS generates a short-lived bucket-level key from AWS KMS then temporarily keeps it in S3
  2. Using S3 Bucket Keys allows you to save on AWS KMS request costs by decreasing your requests to AWS KMS for Encrypt, GenerateDataKey, and Decrypt operations through the use of a bucket-level key

https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html

There is a balance between security, and cost optimization. Using bucket-key, while cost efficient, is not the "most secure" way to leverage encryption within S3 (using generatedatakey api is more secure). But it does save on API calls to KMS.

I hope this helps, when added with the previous entry.

AWS
KAS
répondu il y a 8 mois
  • Thank you also for the clarification, I think my question was not clear, my question is more like "What is the purpose of enabling bucket key when you choose to use SSE-S3" ?

0

Iam also confused, the default settings during the creation of a new bucket is

  • "SSE-S3" for Encryption
  • "Enabled" for Bucket Key

If the Bucket Key does not come into play with SSE-S3, isnt it better to hide the whole "Bucket Key" setting if SSE-S3 is selected, just show it if SSE-KMS is selected? Its a little bit confusing, because I am not sure if I have to enable or disable it with SSE-S3.

Enter image description here

profile picture
répondu il y a 4 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions