How do I encrypt S3 buckets and objects, and manage encryption keys?

3 minute read

I want to encrypt an S3 bucket and its objects, and manage the encryption keys.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

To encrypt your data at rest and in transit, use one of the following encryption methods:

Server-side encryption with Amazon S3 managed keys (SSE-S3)
Note: By default, Amazon S3 automatically SSE-S3 as the base level of encryption for every bucket.
Server-side encryption with AWS Key Management Service (SSE-KMS)
Server-side encryption with customer-provided keys (SSE-C)
Client-side encryption
Note: This method provides an extra layer of security. However, you must manage the encryption keys and the encryption and decryption processes on the client side.

Encrypt existing Amazon S3 objects

To encrypt existing objects, you can use either the AWS CLI or Amazon S3 Batch Operations.

To encrypt thousands of objects in an S3 bucket, use the AWS CLI. For example, run the following cp command to encrypt all objects under samplefolder/ with an AWS KMS key:

aws s3 cp s3://awsexamplebucket/samplefolder/ s3://awsexamplebucket/samplefolder/ --sse aws:kms --sse-kms-key-id arn:aws:kms:us-west-2:111122223333:key/3aefc301-b7d2-4601-9298-5a854cf9999d --recursive

Note: Replace the example S3 path with your S3 path and sse-kms-key-id with your SSE-KMS ID.

To encrypt millions or billions of objects, use S3 Batch Operations.

Complete the following steps:

Configure Amazon S3 Inventory for the buckets that contain the objects that you want to encrypt.
Create the S3 Batch Operations job with the manifest from Amazon S3 Inventory that specifies the source bucket and objects.

Implement best practices for SSE-KMS encryption

If you use SSE-KMS, then implement the following key management best practices:

To maintain better control and isolation and efficiently rotate keys or revoke access, create separate AWS KMS keys for different workloads, environments, or applications.
To control who can access and manage your encryption keys, use KMS key policies. You can grant permissions to AWS accounts, users, or roles to use the key for encryption and decryption operations.
To reduce the risk of key compromise, turn on automatic key rotation. AWS KMS automatically rotates the keys every year, or you can specify a rotation period.
To monitor and audit key usage in your account, use AWS CloudTrail. CloudTrail logs all API calls to KMS so that you can track who accessed your keys and when.
Regularly back up your AWS KMS keys, and replicate them across multiple AWS Regions for disaster recovery purposes.

For more information, see Encryption best practices for AWS Key Management Service.

Topics

Storage

Relevant content

S3 Default Encryption override with command line/api call
Accepted Answer
AWS-User-6622001
asked 7 years ago
S3 bucket default encryption for object uploads
Accepted Answer
kr_awsbuilder
asked 2 years ago
S3 Default Encryption, and individual object encryption settings
Accepted Answer
kyager
asked 2 years ago
How to all objects in s3 ( and all its versions) with aws command line?
laurens visser
asked 6 months ago
Difference in Functionality and Cost When Enabling S3 Bucket Key for Default Encryption
eunjeong
asked 6 months ago
Why do I receive errors when I run AWS CLI commands?
AWS OFFICIALUpdated 2 years ago
Should I use an AWS KMS managed key or a customer managed KMS key to encrypt my objects on Amazon S3?
AWS OFFICIALUpdated 9 months ago
Do I need to specify the AWS KMS key when I download a KMS-encrypted object from Amazon S3?
AWS OFFICIALUpdated 2 years ago
How can I use AWS KMS to encrypt a specific folder in my Amazon S3 bucket?
AWS OFFICIALUpdated 2 years ago
How to Fix "The bucket that you tried to delete is not empty" Error When Deleting an S3 Table Bucket
EXPERT
Vitor Castellani
published 2 months ago