Using dual-layer server-side encryption with Amazon KMS keys (DSSE-KMS)

Using dual-layer server-side encryption with Amazon Key Management Service (Amazon KMS) keys (DSSE-KMS) applies two layers of encryption to objects when they are uploaded to Amazon S3. DSSE-KMS helps you more easily fulfill compliance standards that require you to apply multilayer encryption to your data and have full control of your encryption keys.

When you use DSSE-KMS with an Amazon S3 bucket, the Amazon KMS keys must be in the same Region as the bucket. Also, when DSSE-KMS is requested for the object, the S3 checksum that's part of the object's metadata is stored in encrypted form. For more information about checksums, see Checking object integrity.

There are additional charges for using DSSE-KMS and Amazon KMS keys. For more information about DSSE-KMS pricing, see Amazon KMS key concepts in the Amazon Key Management Service Developer Guide and Amazon KMS pricing.

Requiring dual-layer server-side encryption with Amazon KMS keys (DSSE-KMS)

To require dual-layer server-side encryption of all objects in a particular Amazon S3 bucket, you can use a bucket policy. For example, the following bucket policy denies the upload object (s3:PutObject) permission to everyone if the request does not include an x-amz-server-side-encryption header that requests server-side encryption with DSSE-KMS.

{
             "Version":"2012-10-17",
             "Id":"PutObjectPolicy",
             "Statement":[{
                   "Sid":"DenyUnEncryptedObjectUploads",
                   "Effect":"Deny",
                   "Principal":"*",
                   "Action":"s3:PutObject",
                   "Resource":"arn:aws-cn:s3:::DOC-EXAMPLE-BUCKET1/*",
                   "Condition":{
                      "StringNotEquals":{
                         "s3:x-amz-server-side-encryption":"aws:kms:dsse"
                      }
                   }
                }
             ]
          }