Using dual-layer server-side encryption with Amazon KMS keys (DSSE-KMS) - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using dual-layer server-side encryption with Amazon KMS keys (DSSE-KMS)

Using dual-layer server-side encryption with Amazon Key Management Service (Amazon KMS) keys (DSSE-KMS) applies two layers of encryption to objects when they are uploaded to Amazon S3. DSSE-KMS helps you more easily fulfill compliance standards that require you to apply multilayer encryption to your data and have full control of your encryption keys.

The "dual" in DSSE-KMS refers to two independent layers of AES-256 encryption that are applied to your data:

  • First layer: Your data is encrypted using a unique data encryption key (DEK) generated by Amazon KMS

  • Second layer: The already-encrypted data is encrypted again using a separate AES-256 encryption key managed by Amazon S3

This differs from standard SSE-KMS, which applies only a single layer of encryption. The dual-layer approach provides enhanced security by ensuring that even if one encryption layer were compromised, your data would remain protected by the second layer. This additional security comes with increased processing overhead and Amazon KMS API calls, which accounts for the higher cost compared to standard SSE-KMS. For more information about DSSE-KMS pricing, see Amazon KMS key concepts in the Amazon Key Management Service Developer Guide and Amazon KMS pricing.

When you use DSSE-KMS with an Amazon S3 bucket, the Amazon KMS keys must be in the same Region as the bucket. Also, when DSSE-KMS is requested for the object, the S3 checksum that's part of the object's metadata is stored in encrypted form. For more information about checksums, see Checking object integrity in Amazon S3.

Note

S3 Bucket Keys aren't supported for DSSE-KMS.

The key differences between DSSE-KMS and standard SSE-KMS are:

  • Encryption layers: DSSE-KMS applies two independent layers of AES-256 encryption, while standard SSE-KMS applies one layer

  • Security: DSSE-KMS provides enhanced protection against potential encryption vulnerabilities

  • Compliance: DSSE-KMS helps meet regulatory requirements that mandate multilayer encryption

  • Performance: DSSE-KMS has slightly higher latency due to additional encryption processing

  • Cost: DSSE-KMS incurs higher charges due to increased computational overhead and additional Amazon KMS operations

Requiring dual-layer server-side encryption with Amazon KMS keys (DSSE-KMS)

To require dual-layer server-side encryption of all objects in a particular Amazon S3 bucket, you can use a bucket policy. For example, the following bucket policy denies the upload object (s3:PutObject) permission to everyone if the request does not include an x-amz-server-side-encryption header that requests server-side encryption with DSSE-KMS.

JSON
{
             "Version":"2012-10-17",		 	 	 
             "Id": "PutObjectPolicy",
             "Statement": [{
                   "Sid": "DenyUnEncryptedObjectUploads",
                   "Effect": "Deny",
                   "Principal": {
                       "AWS": "arn:aws:iam::111122223333:root"
                   },
                   "Action": "s3:PutObject",
                   "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
                   "Condition": {
                      "StringNotEquals": {
                         "s3:x-amz-server-side-encryption": "aws:kms:dsse"
                      }
                   }
                }
             ]
          }
Topics