Enable bucket key with SSE-S3

0

Hello,

I would like to understand the goal of enabling "Bucket key" with SSE-S3 encryption type ? For me, bucket key is used only with encryption type SSE-KMS so less calls to KMS are made. But what is the purpose of enabling it with SSE-S3 ?

Regards

Mehmet
asked a month ago149 views
3 Answers
0

SSE-S3 v/s SSE-KMS:

SSE-S3 provides you the encryption feature on s3 objects at rest and all the objects inside SSE-S3 encrypted bucket would be accessible to anyone who has access to that bucket/underlying objects. SSE-S3 serves the purpose if someone asks you, is your data is encrypted at rest or not, then you can say, yes it's encrypted at rest by s3 backend infrastructure. Hypothetically, you can understand it this way, that if anyone got access to AWS data center and eventually the hard drive where your s3 data is rested, he/she will not be able to read it until he can decipher the key used for that data encryption. You as an end user, don't need to deal with any of the encryption process at all.

On the other hand, with SSE-KMS, access to an s3 object not only would require s3 object access but also the encryption key (SSE-KMS CMK via AWS KMS) access too. Encryption process would be handled by AWS KMS, where encrypted data key is used for encryption/decryption process and data key never leaves KMS.

If you want to have an extra permission layer on your s3 bucket objects, then you must go with SSE-KMS however keep in mind that this option incur additional KMS cost as every time when you'd access an s3 object, KMS API would also be called.

Edit: Keeping bucket key enabled or disabled won't make any difference as it's essentially a concept for SSE-KMS. Keeping bucket key enabled for SSE-KMS reduce the overall KMS cost substantially as KMS API calls request gets reduced marginally by up to 99% but that won't be the case for SSE-S# as in case of SSE-S3, AWS KMS doesn't come in to the picture for user. For more details, please refer AWS Documentation.

Hope this helps, comment here if you have additional questions.

Abhishek

profile pictureAWS
EXPERT
answered a month ago
  • Hi, thank you for your help, as I have stated above, my question was misunderstood. My question is actually this : "What is the purpose of enabling bucket key when you choose to use SSE-S3"

  • Hi Mehmet,

    I got your question, so the answer is, with SSE-S3, keeping bucket key enabled or disabled won't make any difference as it's essentially a concept for SSE-KMS. Keeping bucket key enabled for SSE-KMS reduce the overall KSM cost substantially as KMS API calls request gets reduced marginally by up to 99%. I've added this clarification in my answer as well. For more details, please refer AWS Documentation.

0

Hi

SSE-S3 can be used where you are just looking for encryption for your data at rest. It is baked into the Amazon S3 service which manages the encryption and decryption of your objects. The encryption keys are handled and managed by AWS [internally].

On the other hand, SSE-KMS is recommended when you need both encryption and you want to manage the keys centrally and define the key usage through policies [additional layer of security]. Also, there is an associated cost with KMS, namely for customer managed keys and API calls.

I hope this clarifies.

Thanks

profile pictureAWS
Rama
answered a month ago
  • Thank you for your clarification. My concern is not about the difference between SSE-S3 versus SSE-KMS but more about the need to enable "Bucket key" when you choose to use SSE-S3 ? My question in first place might not be clear, sorry for that

0

To add to the previous response:

  1. When you configure your bucket to use an S3 Bucket Key for SSE-KMS, AWS generates a short-lived bucket-level key from AWS KMS then temporarily keeps it in S3
  2. Using S3 Bucket Keys allows you to save on AWS KMS request costs by decreasing your requests to AWS KMS for Encrypt, GenerateDataKey, and Decrypt operations through the use of a bucket-level key

https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html

There is a balance between security, and cost optimization. Using bucket-key, while cost efficient, is not the "most secure" way to leverage encryption within S3 (using generatedatakey api is more secure). But it does save on API calls to KMS.

I hope this helps, when added with the previous entry.

AWS
KAS
answered a month ago
  • Thank you also for the clarification, I think my question was not clear, my question is more like "What is the purpose of enabling bucket key when you choose to use SSE-S3" ?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions