Replicating objects created with server-side encryption (SSE-C, SSE-S3, SSE-KMS)
Important
Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance. The automatic encryption status for S3 bucket default encryption configuration and for new object uploads is available in Amazon CloudTrail logs, S3 Inventory, S3 Storage Lens, the Amazon S3 console, and as an additional Amazon S3 API response header in the Amazon Command Line Interface and Amazon SDKs. For more information, see Default encryption FAQ.
There are some special considerations when you're replicating objects that have been encrypted by using server-side encryption. Amazon S3 supports the following types of server-side encryption:
-
Server-side encryption with Amazon Key Management Service (Amazon KMS) keys (SSE-KMS)
-
Server-side encryption with Amazon S3 managed keys (SSE-S3)
-
Server-side encryption with customer-provided keys (SSE-C)
For more information about server-side encryption, see Protecting data using server-side encryption.
This topic explains the permissions that you need to direct Amazon S3 to replicate objects that have been encrypted by using server-side encryption. This topic also provides additional configuration elements that you can add and example Amazon Identity and Access Management (IAM) policies that grant the necessary permissions for replicating encrypted objects.
For an example with step-by-step instructions, see Replicating encrypted objects. For information about creating a replication configuration, see Replicating objects.
Note
You can use multi-Region Amazon KMS keys in Amazon S3. However, Amazon S3 currently treats multi-Region keys as though they were single-Region keys, and does not use the multi-Region features of the key. For more information, see Using multi-Region keys in Amazon Key Management Service Developer Guide.
Topics
How default bucket encryption affects replication
When you enable default encryption for a replication destination bucket, the following encryption behavior applies:
-
If objects in the source bucket are not encrypted, the replica objects in the destination bucket are encrypted by using the default encryption settings of the destination bucket. As a result, the entity tags (ETags) of the source objects differ from the ETags of the replica objects. If you have applications that use ETags, you must update those applications to account for this difference.
-
If objects in the source bucket are encrypted by using server-side encryption with Amazon S3 managed keys (SSE-S3) or server-side encryption with Amazon Key Management Service (Amazon KMS) keys (SSE-KMS), the replica objects in the destination bucket use the same type of encryption as the source objects. The default encryption settings of the destination bucket are not used.
Replicating objects encrypted with SSE-C
By using server-side encryption with customer-provided keys (SSE-C), you can manage proprietary encryption keys. With SSE-C, you manage the keys while Amazon S3 manages the encryption and decryption process. You must provide an encryption key as part of your request, but you don't need to write any code to perform object encryption or decryption. When you upload an object, Amazon S3 encrypts the object by using the key that you provided. Amazon S3 then purges that key from memory. When you retrieve an object, you must provide the same encryption key as part of your request. For more information, see Using server-side encryption with customer-provided keys (SSE-C).
S3 Replication supports objects that are encrypted with SSE-C. You can configure SSE-C object replication in the Amazon S3 console or with the Amazon SDKs, the same way that you configure replication for unencrypted objects. There aren't additional SSE-C permissions beyond what are currently required for replication.
S3 Replication automatically replicates newly uploaded SSE-C encrypted objects if they are eligible, as per your S3 Replication configuration. To replicate existing objects in your buckets, use S3 Batch Replication. For more information about replicating objects, see Setting up replication and Replicating existing objects with S3 Batch Replication.
There are no additional charges for replicating SSE-C objects. For details about
replication pricing, see the Amazon S3 pricing
page
Replicating objects encrypted with SSE-S3 or SSE-KMS
By default, Amazon S3 doesn't replicate objects that are stored at rest by using server-side encryption with customer managed keys that are stored in Amazon Key Management Service (Amazon KMS) (SSE-KMS). This section explains the additional configuration elements that you can add to direct Amazon S3 to replicate these objects.
For an example with step-by-step instructions, see Replicating encrypted objects. For information about creating a replication configuration, see Replicating objects.
Specifying additional information in the replication configuration for SSE-KMS
In the replication configuration, you do the following:
-
In the
Destination
element in your replication configuration, add the ID of the symmetric Amazon KMS customer managed key that you want Amazon S3 to use to encrypt object replicas, as shown in the following example replication configuration. -
Explicitly opt in by enabling replication of objects encrypted by using KMS keys. To opt in, add the
SourceSelectionCriteria
element, as shown in the following example replication configuration.
<ReplicationConfiguration> <Rule> ... <SourceSelectionCriteria> <SseKmsEncryptedObjects> <Status>Enabled</Status> </SseKmsEncryptedObjects> </SourceSelectionCriteria> <Destination> ... <EncryptionConfiguration> <ReplicaKmsKeyID>
Amazon KMS key ID that's in the same as the destination bucket.
</ReplicaKmsKeyID> </EncryptionConfiguration> </Destination> ... </Rule> </ReplicationConfiguration>
Important
The KMS key must have been created in the same Amazon Web Services Region as the destination buckets.
The KMS key must be valid. The
PutBucketReplication
API operation doesn't check the validity
of KMS keys. If you use a KMS key that isn't valid, you will receive the
HTTP 200 OK
status code in response, but replication fails.
The following example shows a replication configuration that includes optional configuration elements.
<?xml version="1.0" encoding="UTF-8"?> <ReplicationConfiguration> <Role>arn:aws-cn:iam::
account-id
:role/role-name
</Role> <Rule> <ID>Rule-1</ID> <Priority>1</Priority> <Status>Enabled</Status> <DeleteMarkerReplication> <Status>Disabled</Status> </DeleteMarkerReplication> <Filter> <Prefix>Tax</Prefix> </Filter> <Destination> <Bucket>arn:aws-cn:s3:::</Bucket> <EncryptionConfiguration> <ReplicaKmsKeyID>
Amazon KMS key ID that's in the same Amazon Web Services Region as the destination buckets. (S3 uses this key to encrypt object replicas.)
</ReplicaKmsKeyID> </EncryptionConfiguration> </Destination> <SourceSelectionCriteria> <SseKmsEncryptedObjects> <Status>Enabled</Status> </SseKmsEncryptedObjects> </SourceSelectionCriteria> </Rule> </ReplicationConfiguration>
This replication configuration has one rule. The rule applies to objects with the
Tax
key prefix. Amazon S3 uses the specified Amazon KMS key ID to
encrypt these object replicas.
Granting additional permissions for the IAM role
To replicate objects that are encrypted at rest by using SSE-S3 or SSE-KMS, grant the following additional permissions to the Amazon Identity and Access Management (IAM) role that you specify in the replication configuration. You grant these permissions by updating the permissions policy that's associated with the IAM role.
-
s3:GetObjectVersionForReplication
action for source objects – This action allows Amazon S3 to replicate both unencrypted objects and objects created with server-side encryption by using SSE-S3 or SSE-KMS.Note
We recommend that you use the
s3:GetObjectVersionForReplication
action instead of thes3:GetObjectVersion
action becauses3:GetObjectVersionForReplication
provides Amazon S3 with only the minimum permissions necessary for replication. In addition, thes3:GetObjectVersion
action allows replication of unencrypted and SSE-S3-encrypted objects, but not replication of objects encrypted by using SSE-KMS. -
kms:Decrypt
andkms:Encrypt
Amazon KMS actions for your KMS keys-
You must grant the
kms:Decrypt
permission for the Amazon KMS key that's used to decrypt the source object. -
You must grant the
kms:Encrypt
permission for the Amazon KMS key that's used to encrypt the object replica.
-
-
kms:GenerateDataKey
action for replicating plaintext objects – If you're replicating plaintext objects to a bucket with SSE-KMS encryption enabled by default, you must include thekms:GenerateDataKey
permission for the destination encryption context and the KMS key in the IAM policy.
We recommend that you restrict these permissions only to the destination buckets
and objects by using Amazon KMS condition keys. The Amazon Web Services account that owns the IAM
role must have permissions for the kms:Encrypt
and
kms:Decrypt
actions for the KMS keys that are listed in the
policy. If the KMS keys are owned by another Amazon Web Services account, the owner of the
KMS keys must grant these permissions to the Amazon Web Services account that owns the IAM
role. For more information about managing access to these KMS keys, see Using IAM Policies with Amazon KMS in
the Amazon Key Management Service Developer Guide.
S3 Bucket Keys and replication
To use replication with an S3 Bucket Key, the Amazon KMS key policy for the
KMS key that's used to encrypt the object replica must include the
kms:Decrypt
permission for the calling principal. The call to
kms:Decrypt
verifies the integrity of the S3 Bucket Key before using
it. For more information, see Using an S3 Bucket Key with replication.
When an S3 Bucket Key is enabled for the source or destination bucket, the
encryption context will be the bucket's Amazon Resource Name (ARN), not the object's
ARN (for example,
arn:aws-cn:s3:::
). You must
update your IAM policies to use the bucket ARN for the encryption context:bucket_ARN
"kms:EncryptionContext:aws:s3:arn": [ "arn:aws-cn:s3:::
bucket_ARN
" ]
For more information, see Encryption context (x-amz-server-side-encryption-context) (in the "Using the REST API" section) and Changes to note before enabling an S3 Bucket Key.
Example policies – Using SSE-S3 and SSE-KMS with replication
The following example IAM policies show statements for using SSE-S3 and SSE-KMS with replication.
Example – Using SSE-KMS with separate destination buckets
The following example policy shows statements for using SSE-KMS with separate destination buckets.
{ "Action": ["kms:Decrypt"], "Effect": "Allow", "Condition": { "StringLike": { "kms:ViaService": "s3.
source-bucket-region
.amazonaws.com.cn", "kms:EncryptionContext:aws:s3:arn": [ "arn:aws-cn:s3:::/
key-prefix1
*" ] } }, "Resource": [ "List of Amazon KMS key ARNs that are used to encrypt source objects.
" ] }, { "Action": ["kms:Encrypt"], "Effect": "Allow", "Condition": { "StringLike": { "kms:ViaService": "s3.destination-bucket-1-region
.amazonaws.com.cn", "kms:EncryptionContext:aws:s3:arn": [ "arn:aws-cn:s3:::/
key-prefix1
*" ] } }, "Resource": [ "Amazon KMS key ARNs (in the same Amazon Web Services Region as destination bucket 1). Used to encrypt object replicas created in destination bucket 1.
" ] }, { "Action": ["kms:Encrypt"], "Effect": "Allow", "Condition": { "StringLike": { "kms:ViaService": "s3.destination-bucket-2-region
.amazonaws.com.cn", "kms:EncryptionContext:aws:s3:arn": [ "arn:aws-cn:s3:::/
key-prefix1
*" ] } }, "Resource": [ "Amazon KMS key ARNs (in the same Amazon Web Services Region as destination bucket 2). Used to encrypt object replicas created in destination bucket 2.
" ] }
Example – Replicating objects created with SSE-S3 and SSE-KMS
The following is a complete IAM policy that grants the necessary permissions to replicate unencrypted objects, objects created with SSE-S3, and objects created with SSE-KMS.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:GetReplicationConfiguration", "s3:ListBucket" ], "Resource":[ "arn:aws-cn:s3:::
" ] }, { "Effect":"Allow", "Action":[ "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl" ], "Resource":[ "arn:aws-cn:s3:::
/
key-prefix1
*" ] }, { "Effect":"Allow", "Action":[ "s3:ReplicateObject", "s3:ReplicateDelete" ], "Resource":"arn:aws-cn:s3:::/
key-prefix1
*" }, { "Action":[ "kms:Decrypt" ], "Effect":"Allow", "Condition":{ "StringLike":{ "kms:ViaService":"s3.source-bucket-region
.amazonaws.com.cn", "kms:EncryptionContext:aws:s3:arn":[ "arn:aws-cn:s3:::/
key-prefix1
*" ] } }, "Resource":[ "List of the Amazon KMS key ARNs that are used to encrypt source objects.
" ] }, { "Action":[ "kms:Encrypt" ], "Effect":"Allow", "Condition":{ "StringLike":{ "kms:ViaService":"s3.destination-bucket-region
.amazonaws.com.cn", "kms:EncryptionContext:aws:s3:arn":[ "arn:aws-cn:s3:::/
prefix1
*" ] } }, "Resource":[ "Amazon KMS key ARNs (in the same Amazon Web Services Region as the destination bucket) to use for encrypting object replicas
" ] } ] }
Example – Replicating objects with S3 Bucket Keys
The following is a complete IAM policy that grants the necessary permissions to replicate objects with S3 Bucket Keys.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:GetReplicationConfiguration", "s3:ListBucket" ], "Resource":[ "arn:aws-cn:s3:::
" ] }, { "Effect":"Allow", "Action":[ "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl" ], "Resource":[ "arn:aws-cn:s3:::
/
key-prefix1
*" ] }, { "Effect":"Allow", "Action":[ "s3:ReplicateObject", "s3:ReplicateDelete" ], "Resource":"arn:aws-cn:s3:::/
key-prefix1
*" }, { "Action":[ "kms:Decrypt" ], "Effect":"Allow", "Condition":{ "StringLike":{ "kms:ViaService":"s3.source-bucket-region
.amazonaws.com.cn", "kms:EncryptionContext:aws:s3:arn":[ "arn:aws-cn:s3:::" ] } }, "Resource":[ "
List of the Amazon KMS key ARNs that are used to encrypt source objects.
" ] }, { "Action":[ "kms:Encrypt" ], "Effect":"Allow", "Condition":{ "StringLike":{ "kms:ViaService":"s3.destination-bucket-region
.amazonaws.com.cn", "kms:EncryptionContext:aws:s3:arn":[ "arn:aws-cn:s3:::" ] } }, "Resource":[ "
Amazon KMS key ARNs (in the same Amazon Web Services Region as the destination bucket) to use for encrypting object replicas
" ] } ] }
Granting additional permissions for cross-account scenarios
In a cross-account scenario, where the source and destination buckets are owned by different Amazon Web Services accounts, you can use a KMS key to encrypt object replicas. However, the KMS key owner must grant the source bucket owner permission to use the KMS key.
Note
Objects encrypted through Amazon managed keys
To grant the source bucket owner permission to use the KMS key (Amazon KMS console)
-
Sign in to the Amazon Web Services Management Console and open the Amazon KMS console at https://console.amazonaws.cn/kms
. -
To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.
-
To view the keys in your account that you create and manage, in the navigation pane choose Customer managed keys.
-
Choose the KMS key.
-
Under the General configuration section, choose the Key policy tab.
-
Scroll down to Other Amazon Web Services accounts.
-
Choose Add other Amazon Web Services accounts.
The Other Amazon Web Services accounts dialog box appears.
-
In the dialog box, choose Add another Amazon Web Services account. For arn:aws-cn:iam::, enter the source bucket account ID.
-
Choose Save changes.
To grant the source bucket owner permission to use the KMS key (Amazon CLI)
-
For information about the
put-key-policy
Amazon Command Line Interface (Amazon CLI) command, see put-key-policyin the Amazon CLI Command Reference. For information about the underlying PutKeyPolicy
API operation, see PutKeyPolicyin the Amazon Key Management Service API Reference.
Amazon KMS transaction quota considerations
When you add many new objects with Amazon KMS encryption after enabling Cross-Region
Replication (CRR), you might experience throttling (HTTP 503 Service
Unavailable
errors). Throttling occurs when the number of Amazon KMS
transactions per second exceeds the current quota. For more information, see Quotas
To request a quota increase, use Service Quotas. For more information, see
Amazon Web Services
Quotas. If Service Quotas isn't supported in your Region,
open an Amazon Web Services Support case