Posted On: Feb 19, 2021

AWS Config now supports the ability to use an AWS Key Management Service (KMS) key or alias Amazon Resource Name (ARN) that you provide, to encrypt the data delivered to your Amazon Simple Storage Service (S3) bucket. By default, AWS Config delivers configuration history and snapshot files to your S3 bucket and encrypts the data at rest using S3 AES-256 server-side encryption, SSE-S3. With this release, if you provide AWS Config with your KMS key or alias ARN, AWS Config will use that KMS key instead of using AES-256 encryption.

To get started, create a KMS key and configure it with the permission to GenerateDataKey and Decrypt. You can then provide the KMS key to AWS Config by calling the PutDeliveryChannel API with your S3 KMS key, ARN, or alias ARN. The objects delivered to the S3 bucket will be encrypted using server-side encryption with KMS CMKs. If you do not provide AWS Config with a KMS key or alias ARN, then AWS Config will default to encrypting the delivered data with AES-256 encryption.

Support for KMS encryption on S3 buckets used by AWS Config is available at no additional cost in all commercial AWS Regions and AWS GovCloud (US).

For more information about AWS Config, see the AWS Config webpage.

For more information on how to create and configure AWS Key Management Service (AWS KMS), see the AWS Key Management Service Documentation.