Should I use an AWS KMS-managed key or a custom AWS KMS key to encrypt my objects on Amazon S3?
Last updated: 2020-10-21
I want to use server-side encryption with AWS Key Management Service (SSE-KMS) for my objects stored on Amazon Simple Storage Service (Amazon S3). Should I use a custom AWS KMS key (KMS key)? Or, should I use the AWS KMS-managed KMS key called aws/s3? What's the difference between the two?
AWS KMS manages the default aws/s3 KMS key, but you have full control over a custom KMS key.
Using the default aws/s3 KMS key
Note: The name of the KMS key is aws/s3 in the Amazon S3 console, but you don't specify that name or ID if you use the AWS Command Line Interface (AWS CLI).
Consider using the default aws/s3 KMS key if:
- You're uploading or accessing S3 objects using AWS Identity and Access Management (IAM) principals that are in the same AWS account as the KMS key.
- You don't want to manage policies for the KMS key.
- You don't want to rotate the KMS key.
To encrypt an object using the default aws/s3 KMS key, define the encryption method as SSE-KMS during the upload, but don't specify a key:
aws s3 cp ./mytextfile.txt s3://DOC-EXAMPLE-BUCKET/ --sse aws:kms
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
Using a custom KMS key
Consider using a custom KMS key if:
- You want to create, rotate, disable, or define access controls for the KMS key.
- You want to grant cross-account access to your S3 objects. You can configure the policy of a custom KMS key to allow access from another account.
To encrypt an object using a custom KMS key that you created, define the encryption method as SSE-KMS during the upload. Then, specify your custom KMS key as the key (--sse-kms-key-id):
aws s3 cp ./mytextfile.txt s3://DOC-EXAMPLE-BUCKET/ --sse aws:kms --sse-kms-key-id testkey