Should I use an AWS KMS-managed key or a custom AWS KMS key to encrypt my objects on Amazon S3?
Last updated: 2020-10-21
I want to use server-side encryption with AWS Key Management Service (SSE-KMS) for my objects stored on Amazon Simple Storage Service (Amazon S3). Should I use a custom AWS KMS customer master key (CMK)? Or, should I use the AWS KMS-managed CMK called aws/s3? What's the difference between the two?
Resolution
AWS KMS manages the default aws/s3 CMK, but you have full control over a custom CMK.
Using the default aws/s3 CMK
Note: The name of the CMK is aws/s3 in the Amazon S3 console, but you don't specify that name or ID if you use the AWS Command Line Interface (AWS CLI).
Consider using the default aws/s3 CMK if:
- You're uploading or accessing S3 objects using AWS Identity and Access Management (IAM) principals that are in the same AWS account as the CMK.
- You don't want to manage policies for the CMK.
- You don't want to rotate the CMK.
To encrypt an object using the default aws/s3 CMK, define the encryption method as SSE-KMS during the upload, but don't specify a key:
aws s3 cp ./mytextfile.txt s3://DOC-EXAMPLE-BUCKET/ --sse aws:kms
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
Using a custom CMK
Consider using a custom CMK if:
- You want to create, rotate, disable, or define access controls for the CMK.
- You want to grant cross-account access to your S3 objects. You can configure the policy of a custom CMK to allow access from another account.
To encrypt an object using a custom CMK that you created, define the encryption method as SSE-KMS during the upload. Then, specify your custom CMK as the key (--sse-kms-key-id):
aws s3 cp ./mytextfile.txt s3://DOC-EXAMPLE-BUCKET/ --sse aws:kms --sse-kms-key-id testkey
To control access to your custom CMK, modify the key policy. For more information on how to create an AWS KMS key policy, see Example key policy.
Related information
Did this article help?
Do you need billing or technical support?