AWS KMS keys for encrypting data before uploading to Amazon S3 Glacier
I'm required to use an AWS KMS key for encrypting data in Amazon S3 Glacier. However, the AWS KMS encryption with customer-owned keys isn't directly supported in S3 Glacier. I want to use client-side encryption of the data (and encrypt the data before uploading it to Amazon S3 Glacier). Can I use the AWS KMS key for client-side encryption (for data outside of AWS)? Or, do I have to use an AWS SDK to encrypt the data with an AWS KMS key?
You can use the Amazon S3 client-side encryption to encrypt the data before sending it to S3. Amazon S3 client-side encryption supports AWS KMS as the root key provider. However, it's recommended to use the AWS Encryption SDK as it offers more features while supporting AWS KMS.
To enable client-side encryption, you have the following options:
- Use an AWS KMS key stored in AWS Key Management Service (AWS KMS).
- Use a key that you store within your application.
For more information, you can also take a look at these AWS Blogs posts:
Relevant questions
AWS KMS keys for encrypting data before uploading to Amazon S3 Glacier
Accepted Answerasked 2 years agoHow to determine if an object is encrypted with a "regular" S3-SSE KMS key, or an S3 Bucket Key with S3 Inventory?
Accepted Answerasked a year agoCan an AWS RDS SQL Server Audit File be encypted with a kms key prior to upload to S3?
asked 6 months agoS3 Default Encryption override with command line/api call
Accepted Answerasked 4 years agoGlacier Egress Charges (S3)
Accepted AnswerKMS key with an EMR Notebook
Accepted Answerasked 2 years agoCross Account Copy S3 Objects From Account B to AWS KMS-encrypted bucket in Account A
asked 4 months agoDelete key material is greyedout
asked 4 months agoCost of at rest encryption in S3
asked 2 months agoUpload to Glacier via CLI
Accepted Answerasked 2 years ago