SSE-S3 v/s SSE-KMS:
SSE-S3 provides you the encryption feature on s3 objects at rest and all the objects inside SSE-S3 encrypted bucket would be accessible to anyone who has access to that bucket/underlying objects. SSE-S3 serves the purpose if someone asks you, is your data is encrypted at rest or not, then you can say, yes it's encrypted at rest by s3 backend infrastructure. Hypothetically, you can understand it this way, that if anyone got access to AWS data center and eventually the hard drive where your s3 data is rested, he/she will not be able to read it until he can decipher the key used for that data encryption. You as an end user, don't need to deal with any of the encryption process at all.
On the other hand, with SSE-KMS, access to an s3 object not only would require s3 object access but also the encryption key (SSE-KMS CMK via AWS KMS) access too. Encryption process would be handled by AWS KMS, where encrypted data key is used for encryption/decryption process and data key never leaves KMS.
If you want to have an extra permission layer on your s3 bucket objects, then you must go with SSE-KMS however keep in mind that this option incur additional KMS cost as every time when you'd access an s3 object, KMS API would also be called.
Edit: Keeping bucket key enabled or disabled won't make any difference as it's essentially a concept for SSE-KMS. Keeping bucket key enabled for SSE-KMS reduce the overall KMS cost substantially as KMS API calls request gets reduced marginally by up to 99% but that won't be the case for SSE-S# as in case of SSE-S3, AWS KMS doesn't come in to the picture for user. For more details, please refer AWS Documentation.
Hope this helps, comment here if you have additional questions.
SSE-S3 can be used where you are just looking for encryption for your data at rest. It is baked into the Amazon S3 service which manages the encryption and decryption of your objects. The encryption keys are handled and managed by AWS [internally].
On the other hand, SSE-KMS is recommended when you need both encryption and you want to manage the keys centrally and define the key usage through policies [additional layer of security]. Also, there is an associated cost with KMS, namely for customer managed keys and API calls.
I hope this clarifies.
To add to the previous response:
- When you configure your bucket to use an S3 Bucket Key for SSE-KMS, AWS generates a short-lived bucket-level key from AWS KMS then temporarily keeps it in S3
- Using S3 Bucket Keys allows you to save on AWS KMS request costs by decreasing your requests to AWS KMS for Encrypt, GenerateDataKey, and Decrypt operations through the use of a bucket-level key
There is a balance between security, and cost optimization. Using bucket-key, while cost efficient, is not the "most secure" way to leverage encryption within S3 (using generatedatakey api is more secure). But it does save on API calls to KMS.
I hope this helps, when added with the previous entry.
- Accepted Answerasked a year ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- EXPERTpublished 9 months ago
- EXPERTpublished a year ago