Posted On: Aug 8, 2022

The new Amazon S3 condition key enables you to write policies that help you control the use of server-side encryption with customer-provided keys (SSE-C). Using Amazon S3 condition keys, you can specify conditions when granting permissions in the optional ‘Condition’ element of a bucket or an IAM policy. One such condition is to require server-side encryption (SSE) using your preferred encryption method.

When you use SSE-C, you supply and manage the encryption keys, while S3 implements the encryption and decryption of your object data. Most customers take advantage of S3’s built-in support for encryption keys with either S3-managed (SSE-S3) or AWS Key Management Service (KMS) keys (SSE-KMS). However, some customers choose SSE-C to get an additional layer of control for sensitive data stored in S3 or to satisfy compliance regulations. In these cases, you may want all uploads to your buckets to use SSE-C. In other cases, you may want to prevent object uploads using SSE-C so that you and your customers do not have to maintain encryption keys. With the new condition key, customers can choose to either require or restrict use of SSE-C.

The S3 condition key for SSE-C encrypted objects is available at no additional cost in all commercial AWS Regions, including the AWS GovCloud (US) Regions, the AWS China (Beijing) Region, operated by Sinnet, and the AWS China (Ningxia) Region, operated by NWCD. To get started with the new condition key, visit the documentation on protecting data using server-side encryption with customer-provided encryption keys. To learn more about S3 condition keys, visit the S3 User Guide.