I want to use server-side encryption with AWS Key Management Service (SSE-KMS) for my objects stored on Amazon Simple Storage Service (Amazon S3). Should I use a custom AWS KMS customer master key (CMK)? Or, should I use the AWS KMS-managed CMK called aws/s3? What's the difference between the two?

AWS KMS manages the default aws/s3 CMK, but you have full control over a custom CMK.

Using the default aws/s3 CMK

Note: The name of the CMK is aws/s3 in the Amazon S3 console, but you don't specify that name or ID if you use the AWS Command Line Interface (AWS CLI).

Consider using the default aws/s3 CMK if:

  • You're uploading or accessing S3 objects using AWS Identity and Access Management (IAM) principals that are in the same AWS account as the CMK.
  • You don't want to manage policies for the CMK.
  • You don't want to rotate the CMK.

To encrypt an object using the default aws/s3 CMK, define the encryption method as SSE-KMS during the upload, but don't specify a key:

aws s3 cp ./mytextfile.txt s3://mytestbucket/ --sse aws:kms

Using a custom CMK

Consider using a custom CMK if:

  • You want to create, rotate, disable, or define access controls for the CMK.
  • You want to grant cross-account access to your S3 objects. You can configure the policy of a custom CMK to allow access from another account.

To encrypt an object using a custom CMK that you created, define the encryption method as SSE-KMS during the upload. Then, specify your custom CMK as the key (--sse-kms-key-id):

aws s3 cp ./mytextfile.txt s3://mytestbucket/ --sse aws:kms --sse-kms-key-id testkey

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-02-06