Handling S3 KMS CSE key rotation
We are creating S3 objects with KMS managed keys with CSE. I can upload and download the objects via java SDK by building the S3 client using the code below. `
AmazonS3EncryptionV2 s3Encryption = AmazonS3EncryptionClientV2Builder.standard().withKmsClient(kmsClient) .withEncryptionMaterialsProvider(new KMSEncryptionMaterialsProvider(keyAlias)) .withCryptoConfiguration(new CryptoConfigurationV2().withCryptoMode(CryptoMode.AuthenticatedEncryption)) .build();
` Key rotation is enable for the used keys. Will I be able to decrypt the old objects in S3 bucket if the key is rotated and key material is updated? How does KMS know which material to use to decrypt the data key when I have some objects created with before KMS key rotation and some after the rotation ? Is the version of key stored as part of the object metadata? I looked at the metadata of the generated objects and I don't see any metadata that references the version of the key material. Am I missing something about the key management and how they should be used with S3?
From the question I understand that you would like to know if you will be able to decrypt data after the key that was used to encrypt it rotates.
When key rotation occurs, new key material is created and the previous key material is saved so you can decrypt any data that was encrypted with that key. I am attaching the following documentation that goes over this here (1). Key information would be stored in the ciphertextblob which would be how KMS knows the key to use for decryption, I am attaching the following documentation that goes over this here (2). Therefore you would not need to make any changes when the key rotation occurs and all information will still be accessible due to the persistence of the saved key information.
I hope you have a great rest of your day!
Thanks for the response.
I assume that KMS service will not only know the key id but also the version of material that it needs to use to decrypt from the CipherTextBlob. Please confirm. We use KSM CSE and I assume it works the for CSE too.
Also, does S3 encryption client store the key used to encrypt the object as metadata or I need to keep track of it my self? In some cases I see "kms_cmk_id":"alias/key-alias" on the object metadata and in some cases I don't see it. I think I see it only when the object created with 'legacy encryption modes'. How I know the key used to encrypt an object in S3?
Thanks, Sreeni Gunda
Cross Account Copy S3 Objects From Account B to AWS KMS-encrypted bucket in Account Aasked 4 months ago
Use KMS grant to access to encrypted KMS - CMK S3 bucketasked 2 months ago
How to determine if an object is encrypted with a "regular" S3-SSE KMS key, or an S3 Bucket Key with S3 Inventory?Accepted Answerasked a year ago
AWS KMS keys for encrypting data before uploading to Amazon S3 GlacierAccepted Answerasked 2 years ago
sse-s3 encryption default permissionAccepted Answerasked 4 months ago
Handling S3 KMS CSE key rotationasked a month ago
Access denied when trying to GET objects uploaded to s3 bucket via aws sdk using cloudfront
Glue Crawler getting 403 from S3 because "ciphertext refers to a CMK that doesn't exist." (using SSE-S3, not KMS)Accepted Answerasked a month ago
Access denied when trying to GET objects uploaded to s3 bucket via aws sdk using cloudfrontAccepted Answer
Can an AWS RDS SQL Server Audit File be encypted with a kms key prior to upload to S3?asked 6 months ago