1 Answer
- Newest
- Most votes
- Most comments
0
Hello,
S3 Bucket Key is not the encryption key itself, like data key it will need the use of KMS key stored in HSM to work but instead of making a call for each object you need to decrypt it will generate a S3 Bucket Key that lives in a "limited time windows" within the S3 bucket to access objects in your bucket. Hence reducing the cost by reducing the amounts of API call toward KMS (but not resulting to no more calls).
Using a S3 Bucket key still requires a KMS Key, either AWS or Customer Managed. So in my opinion it doesn't affect the FIPS 140-2 validation since it's still involving the HSM and KMS.
More info here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html?icmpid=docs_amazons3_console#bucket-key-changes
answered a month ago
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago