How does AWS handle S3 Bucket level key rotation? Or perhaps, how is it different from regular KMS key rotation for S3? Is a KMS based key for S3 ultimately more secure?

Question

Hello there, I have been reading up on the differences between encrypting an S3 bucket with a bucket-level key versus the usual (for me) way of using a key based in KMS. I understand the cost-saving benefits of using a bucket-level key, but I don't understand why you would chose to use a KMS-based key in any use case if it is more expensive.

Could you use a bucket-level key to comply with standards like FIPS 140-2 validation? SSE-S3 encryption does not comply with FIPS 140-2 validation and SSE-KMS does comply. So part of my question is trying to determine if the bucket-level keys are also able to comply with FIPS 140-2 validation.

Answer

Hello,

S3 Bucket Key is not the encryption key itself, like data key it will need the use of KMS key stored in HSM to work but instead of making a call for each object you need to decrypt it will generate a S3 Bucket Key that lives in a "limited time windows" within the S3 bucket to access objects in your bucket. Hence reducing the cost by reducing the amounts of API call toward KMS (but not resulting to no more calls).

Using a S3 Bucket key still requires a KMS Key, either AWS or Customer Managed. So in my opinion it doesn't affect the FIPS 140-2 validation since it's still involving the HSM and KMS.

More info here:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html?icmpid=docs_amazons3_console#bucket-key-changes

How does AWS handle S3 Bucket level key rotation? Or perhaps, how is it different from regular KMS key rotation for S3? Is a KMS based key for S3 ultimately more secure?

Relevant content