3 réponses
- Le plus récent
- Le plus de votes
- La plupart des commentaires
1
Implementation-wise, assuming that each tenant must have their own KMS independent key, you may need to leverage this at application level.
You can achieve it by S3 object level encryption via PUTObject request and providing different headers:
- x-amz-server-side-encryption set this one to aws:kms
- x-amz-server-side-encryption-aws-kms-key-id set this one to the key ID of the customer specific key
I am not aware that there is a native way.
0
Take a look at this, Partitioning and Isolating Multi-Tenant SaaS Data with Amazon S3, for a discussion of the different approaches.
Contenus pertinents
- demandé il y a un an
- demandé il y a 4 mois
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a un an
Thanks. I understand the alternatives mentioned in the article, but more wondering about implementation. As mentioned the bucket per tenant doesn’t fit us and we do want an encryption key per tenant due to customers’ compliance requirements.
Thanks
I would look at Access Points for the each customer and the Access Point policy would restrict puts to the specific KMS key for each customer, explained below. The role that then accessed the data would need permission to access the folder objects and the KMS key. You could do that with a backend server or something like Cognito Identity pools.