AWS KMS keys for encrypting data before uploading to Amazon S3 Glacier
I'm required to use an AWS KMS key for encrypting data in Amazon S3 Glacier. However, the AWS KMS encryption with customer-owned keys isn't directly supported in S3 Glacier. I want to use client-side encryption of the data (and encrypt the data before uploading it to Amazon S3 Glacier). Can I use the AWS KMS key for client-side encryption (for data outside of AWS)? Or, do I have to use an AWS SDK to encrypt the data with an AWS KMS key?
You can use the Amazon S3 client-side encryption to encrypt the data before sending it to S3. Amazon S3 client-side encryption supports AWS KMS as the root key provider. However, it's recommended to use the AWS Encryption SDK as it offers more features while supporting AWS KMS.
To enable client-side encryption, you have the following options:
- Use an AWS KMS key stored in AWS Key Management Service (AWS KMS).
- Use a key that you store within your application.
For more information, you can also take a look at these AWS Blogs posts:
AWS KMS keys for encrypting data before uploading to Amazon S3 GlacierAccepted Answerasked 2 years ago
How to determine if an object is encrypted with a "regular" S3-SSE KMS key, or an S3 Bucket Key with S3 Inventory?Accepted Answerasked a year ago
Can an AWS RDS SQL Server Audit File be encypted with a kms key prior to upload to S3?asked 6 months ago
S3 Default Encryption override with command line/api callAccepted Answerasked 4 years ago
Glacier Egress Charges (S3)Accepted AnswerMODERATORasked 4 years ago
KMS key with an EMR NotebookAccepted Answerasked 2 years ago
Cross Account Copy S3 Objects From Account B to AWS KMS-encrypted bucket in Account Aasked 4 months ago
Delete key material is greyedoutasked 4 months ago
Cost of at rest encryption in S3asked 2 months ago
Upload to Glacier via CLIAccepted Answerasked 2 years ago