SSE-KMS and FIPS validation - is the default s3 key also FIPS validated? Or is a CMK the only FIPS validated option?


I have only recently noticed that when you go into create an S3 bucket and select SSE-KMS it allows you to choose the default S3 KMS key or use your own KMS key. Unless I am mistaken, the default S3 key is the same key that SSE-S3 is using? Am I right about that? I am just concerned about ensuring my S3 buckets are configured with the FIPS validated encryption option. I know that SSE-S3 is not FIPS validated so my assumption was just that if the same key is being used then my only option for SSE-KMS would be to use my own KMS key.

已提問 4 個月前檢視次數 380 次
2 個答案

Sorry for the misunderstanding; I hope this can help.

SSE-S3 refers to the default encryption that Amazon S3 applies to all new object uploads using an automatically managed key. With SSE-S3, Amazon handles the encryption, key management, and key protection.

The AWS/s3 key refers to the default KMS key that is used for server-side encryption if a specific customer-managed key is not specified. Like SSE-S3, it uses a key managed by AWS KMS but gives you more control over access since it is associated with your AWS account.

Two "key" differences are:

  • SSE-S3 is fully managed by Amazon S3 while aws/s3 gives you control by associating the encryption with your AWS account.

  • Objects encrypted with the aws/s3 key can be accessed based on the IAM policies associated with your AWS account.

profile picture
已回答 4 個月前
profile picture
已審閱 4 個月前
  • Hmm, that makes sense to me but it does sound like the bottom line would be that as far as FIPS validation is concerned SSE-S3 and SSE-KMS using that aws/s3 key SHOULD run into the same issue since it is using that same key. But if you use SSE-KMS with a CMK then you would be able to comply with FIPS 140-2 validation for compliance purposes.

  • If FIPS compliance and being in control of your encryption key is important to you, then you should use SSE-KMS and CMK.



The default S3 Key will be an encryption key managed by AWS. You do not see this type of key or even manage it in the console.

profile picture
已回答 4 個月前
  • What I mean is if you select SSE-KMS you will see both the AWS managed key (aws/s3) and your customer-managed keys appear in that list when you are selecting a key.

您尚未登入。 登入 去張貼答案。