Handling S3 KMS CSE key rotation


We are creating S3 objects with KMS managed keys with CSE. I can upload and download the objects via java SDK by building the S3 client using the code below. `

  AmazonS3EncryptionV2 s3Encryption = AmazonS3EncryptionClientV2Builder.standard().withKmsClient(kmsClient)
			.withEncryptionMaterialsProvider(new KMSEncryptionMaterialsProvider(keyAlias))
			.withCryptoConfiguration(new CryptoConfigurationV2().withCryptoMode(CryptoMode.AuthenticatedEncryption))

` Key rotation is enable for the used keys. Will I be able to decrypt the old objects in S3 bucket if the key is rotated and key material is updated? How does KMS know which material to use to decrypt the data key when I have some objects created with before KMS key rotation and some after the rotation ? Is the version of key stored as part of the object metadata? I looked at the metadata of the generated objects and I don't see any metadata that references the version of the key material. Am I missing something about the key management and how they should be used with S3?

1 Answer


From the question I understand that you would like to know if you will be able to decrypt data after the key that was used to encrypt it rotates.

When key rotation occurs, new key material is created and the previous key material is saved so you can decrypt any data that was encrypted with that key. I am attaching the following documentation that goes over this here (1). Key information would be stored in the ciphertextblob which would be how KMS knows the key to use for decryption, I am attaching the following documentation that goes over this here (2). Therefore you would not need to make any changes when the key rotation occurs and all information will still be accessible due to the persistence of the saved key information.

I hope you have a great rest of your day!

References (1) https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

(2) https://docs.aws.amazon.com/kms/latest/developerguide/programming-encryption.html#decryption

answered a year ago
  • Hi,

    Thanks for the response.

    I assume that KMS service will not only know the key id but also the version of material that it needs to use to decrypt from the CipherTextBlob. Please confirm. We use KSM CSE and I assume it works the for CSE too.

    Also, does S3 encryption client store the key used to encrypt the object as metadata or I need to keep track of it my self? In some cases I see "kms_cmk_id":"alias/key-alias" on the object metadata and in some cases I don't see it. I think I see it only when the object created with 'legacy encryption modes'. How I know the key used to encrypt an object in S3?

    Thanks, Sreeni Gunda

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions