- 最新
- 最多得票
- 最多評論
SSE-S3 v/s SSE-KMS:
SSE-S3 provides you the encryption feature on s3 objects at rest and all the objects inside SSE-S3 encrypted bucket would be accessible to anyone who has access to that bucket/underlying objects. SSE-S3 serves the purpose if someone asks you, is your data is encrypted at rest or not, then you can say, yes it's encrypted at rest by s3 backend infrastructure. Hypothetically, you can understand it this way, that if anyone got access to AWS data center and eventually the hard drive where your s3 data is rested, he/she will not be able to read it until he can decipher the key used for that data encryption. You as an end user, don't need to deal with any of the encryption process at all.
On the other hand, with SSE-KMS, access to an s3 object not only would require s3 object access but also the encryption key (SSE-KMS CMK via AWS KMS) access too. Encryption process would be handled by AWS KMS, where encrypted data key is used for encryption/decryption process and data key never leaves KMS.
If you want to have an extra permission layer on your s3 bucket objects, then you must go with SSE-KMS however keep in mind that this option incur additional KMS cost as every time when you'd access an s3 object, KMS API would also be called.
Edit: Keeping bucket key enabled or disabled won't make any difference as it's essentially a concept for SSE-KMS. Keeping bucket key enabled for SSE-KMS reduce the overall KMS cost substantially as KMS API calls request gets reduced marginally by up to 99% but that won't be the case for SSE-S# as in case of SSE-S3, AWS KMS doesn't come in to the picture for user. For more details, please refer AWS Documentation.
Hope this helps, comment here if you have additional questions.
Abhishek
Hi
SSE-S3 can be used where you are just looking for encryption for your data at rest. It is baked into the Amazon S3 service which manages the encryption and decryption of your objects. The encryption keys are handled and managed by AWS [internally].
On the other hand, SSE-KMS is recommended when you need both encryption and you want to manage the keys centrally and define the key usage through policies [additional layer of security]. Also, there is an associated cost with KMS, namely for customer managed keys and API calls.
I hope this clarifies.
Thanks
Thank you for your clarification. My concern is not about the difference between SSE-S3 versus SSE-KMS but more about the need to enable "Bucket key" when you choose to use SSE-S3 ? My question in first place might not be clear, sorry for that
To add to the previous response:
- When you configure your bucket to use an S3 Bucket Key for SSE-KMS, AWS generates a short-lived bucket-level key from AWS KMS then temporarily keeps it in S3
- Using S3 Bucket Keys allows you to save on AWS KMS request costs by decreasing your requests to AWS KMS for Encrypt, GenerateDataKey, and Decrypt operations through the use of a bucket-level key
https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html
There is a balance between security, and cost optimization. Using bucket-key, while cost efficient, is not the "most secure" way to leverage encryption within S3 (using generatedatakey api is more secure). But it does save on API calls to KMS.
I hope this helps, when added with the previous entry.
Thank you also for the clarification, I think my question was not clear, my question is more like "What is the purpose of enabling bucket key when you choose to use SSE-S3" ?
Iam also confused, the default settings during the creation of a new bucket is
- "SSE-S3" for Encryption
- "Enabled" for Bucket Key
If the Bucket Key does not come into play with SSE-S3, isnt it better to hide the whole "Bucket Key" setting if SSE-S3 is selected, just show it if SSE-KMS is selected? Its a little bit confusing, because I am not sure if I have to enable or disable it with SSE-S3.
相關內容
- AWS 官方已更新 3 年前
- AWS 官方已更新 6 個月前
Hi, thank you for your help, as I have stated above, my question was misunderstood. My question is actually this : "What is the purpose of enabling bucket key when you choose to use SSE-S3"
Hi Mehmet,
I got your question, so the answer is, with SSE-S3, keeping bucket key enabled or disabled won't make any difference as it's essentially a concept for SSE-KMS. Keeping bucket key enabled for SSE-KMS reduce the overall KSM cost substantially as KMS API calls request gets reduced marginally by up to 99%. I've added this clarification in my answer as well. For more details, please refer AWS Documentation.