3 Answers
- Newest
- Most votes
- Most comments
1
Implementation-wise, assuming that each tenant must have their own KMS independent key, you may need to leverage this at application level.
You can achieve it by S3 object level encryption via PUTObject request and providing different headers:
- x-amz-server-side-encryption set this one to aws:kms
- x-amz-server-side-encryption-aws-kms-key-id set this one to the key ID of the customer specific key
I am not aware that there is a native way.
0
Take a look at this, Partitioning and Isolating Multi-Tenant SaaS Data with Amazon S3, for a discussion of the different approaches.
Relevant content
- asked 7 months ago
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 8 months ago
Thanks. I understand the alternatives mentioned in the article, but more wondering about implementation. As mentioned the bucket per tenant doesn’t fit us and we do want an encryption key per tenant due to customers’ compliance requirements.
Thanks
I would look at Access Points for the each customer and the Access Point policy would restrict puts to the specific KMS key for each customer, explained below. The role that then accessed the data would need permission to access the folder objects and the KMS key. You could do that with a backend server or something like Cognito Identity pools.