Posted On: Jun 13, 2023

Customers can now apply two independent layers of server-side encryption to objects in Amazon S3. Dual-layer server-side encryption with keys stored in AWS Key Management Service (DSSE-KMS) is designed to meet National Security Agency CNSSP 15 for FIPS compliance and Data-at-Rest Capability Package (DAR CP) Version 5.0 guidance for two layers of CNSA encryption. Amazon S3 is the only cloud object storage service where customers can apply two layers of encryption at the object level and control the data keys used for both layers. S3 features such as DSSE-KMS are vetted and accepted for use on top-secret workloads, which benefits all customers globally. 

DSSE-KMS simplifies the process of applying two layers of encryption to your data, without having to invest in infrastructure required for client-side encryption. Each layer of encryption uses a different implementation of the 256-bit Advanced Encryption Standard with Galois Counter Mode (AES-GCM) algorithm. DSSE-KMS uses AWS Key Management Service (KMS) to generate data keys, allowing customers to control their customer managed keys by setting permissions per key and specifying key rotation schedules. With DSSE-KMS, customers can now query and analyze their dual-encrypted data with AWS services such as Amazon Athena, Amazon SageMaker, and more. 

DSSE-KMS is available at an additional cost in all AWS Regions. For pricing information, visit the Amazon S3 and AWS KMS pricing pages. To learn more about all available encryption options on Amazon S3, visit the S3 User Guide. For more information on DSSE-KMS, read the AWS News Blog