AWS Public Sector Blog

Securing Amazon S3 Glacier with a customer-managed encryption key

Customer-managed encryption keys are a common architecture requirement within highly regulated workloads. This post demonstrates how to satisfy this requirement within Amazon Simple Storage Service (Amazon S3), including Amazon S3 Glacier.

We also clarify some common points of confusion and demonstrate how objects can be uploaded directly to Amazon S3 Glacier via Amazon S3, which can help meet regulatory requirements as well as potentially save budget.

Securing Amazon S3 Glacier with a customer managed encryption key Background

Amazon S3 is a highly scalable, reliable, fast, and inexpensive data storage service. Amazon S3 offers a range of storage classes designed for different use cases. Amazon Glacier is a secure, durable, and low-cost solution for long-term data archival storage and digital preservation (like tape backups). Amazon S3 Glacier is both a standalone service and an Amazon S3 storage class.

Amazon S3 Glacier can be used without using direct Application Programming Interface (API) or the AWS Management Console (although those options still exist). Instead, you can view and use Amazon S3 Glacier as if it is another storage class within Amazon S3.

There are two sets of AWS documentation regarding Amazon S3 Glacier depending on your chosen API. One set of documents refers to the standalone service; the other discusses use of Amazon S3 Glacier as an Amazon S3 storage class.

What to know

  1. Amazon S3 Glacier can be accessed directly or via Amazon S3.
  2. You can use the Amazon S3 Console or API as your default for all Amazon S3 Glacier interactions.
    • This can eliminate the concepts of “Vaults” and “Archives” and instead treat everything as an object in an Amazon S3 bucket.
    • Consider replacing “Vault Lock” with “S3 Object Lock.”
  3. Refer to Amazon S3 Documentation first. When you need detail beyond this, consult the Amazon S3 Glacier (stand-alone) Documentation.
  4. Be mindful of documentation and forum discussion referring to “Amazon Glacier.”

Demonstration overview

In this blog post, I demonstrate how to upload an object to Amazon S3 Glacier via Amazon S3 using a custom encryption key.


To complete this on your own, you need the following:


  • Within the AWS Management Console, navigate to the Amazon S3 Service.

Navigating Amazon S3

  • Amazon S3 is a global service; a specific region selection within the console is not applicable as shown here.

Amazon S3 example in AWS GovCloud (US)

  • Navigate within a desired destination S3 bucket.
  • Select Upload.

Uploading to Amazon S3 via AWS GovCloud (US)

  • Select an example object to upload.

Selecting an object to upload to Amazon S3 Glacier

  • Select Next until you arrive at the #3 “Set Properties” menu.
  • Select the Amazon S3 Storage Class of Amazon Glacier.

Selecting storage class in Amazon S3KMS CMKs

  • Select upload and your object is uploaded to Glacier using server-side encryption with your KMS Customer Managed Key as the Private Key. This action could also be completed via AWS command-line interface (CLI) or a desired software development kit (SDK) via API.
  • The encrypted upload is complete. In Figure 1 below, we see the object was encrypted using the specified encryption key (see “Server-side Encryption” set to “AWS-KMS”) and then archived into Amazon S3 Glacier (see “Storage Class” set to “Glacier”).Amazon S3 Glacier Amazon S3 Glacier

Additional Resources


You’re now equipped with additional clarity on the interoperability between Amazon Glacier and Amazon S3. I encourage you to look for ways in which you can employ this information in support of your organization’s mission to increase security and save costs.

Happy building!

Andrew Marsh

Andrew Marsh

Andrew Marsh is a solutions architect on the U.S. federal systems integrators and solutions team at Amazon Web Services (AWS). He’s passionately enabled the U.S. federal government and Department of Defense (DoD) verticals since completing active duty United States Marine Corps service in 2013. Outside of work, he enjoys intentional time with his wife and kids and the silent competition for the greenest lawn on the block.