# Data protection and encryption in S3 Vectors Data protection and encryption in S3 Vectors Amazon S3 Vectors provides 99.999999999% (11 9s) of durability for your vector data, which ensures exceptional reliability for your vector storage needs. This durability is backed by the proven infrastructure of Amazon S3, which is designed to maintain data integrity and availability even in the face of hardware failures or other disruptions. Data protection in S3 Vectors encompasses multiple layers of security controls designed to protect your vector data both at rest and in transit. By default, all new vectors in Amazon S3 Vectors vector buckets use server-side encryption with Amazon S3 managed keys (SSE-S3). When you create a vector bucket with SSE-S3 encryption, all subsequent operations on the bucket automatically use encryption. S3 Vectors also integrates with Amazon Key Management Service (KMS) to provide flexible encryption key management options, allowing you to choose customer-managed keys for permission control and auditability. When creating a vector index within a vector bucket, you can optionally override the vector bucket level encryption settings and provide an encryption configuration (SSE-S3 or KMS) at the vector index level. If no specific encryption is specified upon vector index creation, the index will inherit the encryption configuration from the vector bucket it belongs to. ## Setting server-side encryption behavior for Amazon S3 vector buckets and indexes Setting bucket encryption Encryption configuration in S3 Vectors is a fundamental security setting to specify when you create a vector bucket. This design ensures that all vector data stored in the bucket is encrypted from the moment of creation. By default, the encryption configuration applies to all vectors, vector indexes, and metadata within the bucket, providing consistent protection across your entire vector dataset in a vector bucket. You can also optionally override the vector bucket level encryption settings and provide a dedicated encryption configuration (SSE-S3 or Amazon KMS) at the vector index level. **Important** Encryption settings for a vector bucket can't be changed after the vector bucket is created. You must carefully consider your encryption requirements during the bucket creation process, including compliance requirements, key management preferences, and integration with existing security infrastructure. When you set the SSE-S3 or SSE-KMS encryption type at the vector bucket level, by default it applies to all vector indexes and vectors within the bucket. The encryption configuration applies to not only the vector data itself but also all associated metadata. You can also optionally override the vector bucket level encryption settings and provide a dedicated encryption configuration (SSE-S3 or KMS) at the vector index level. Encryption settings for a vector index can't be changed after the vector index is created. ### Using SSE-S3 encryption Server-side encryption with Amazon S3 managed keys (SSE-S3) provides a simple and effective encryption solution for vector buckets where Amazon manages all aspects of the encryption process. This encryption method uses `AES-256` encryption and is designed to provide strong security with minimal operational overhead, providing organizations with robust encryption without the complexity of the needs to manage encryption keys. With SSE-S3, Amazon S3 handles the generation, rotation, and management of encryption keys automatically. SSE-S3 provides strong security with no additional configuration or ongoing management requirements. The encryption and decryption processes are handled automatically by the service, and there are no additional charges for using SSE-S3 encryption beyond the standard S3 Vectors pricing. ### Using SSE-KMS encryption Server-side encryption with Amazon Key Management Service keys (SSE-KMS) provides enhanced control over encryption keys and enables detailed audit logging of key usage. This encryption method is ideal for organizations with strict compliance requirements, those that need to implement custom key rotation policies, or environments where detailed audit trails of data access are required. SSE-KMS allows you to use customer managed keys (CMKs) for encrypting your vector data. Customer managed keys provide the highest level of control, allowing you to define key policies, enable or disable keys, and monitor key usage through Amazon CloudTrail. This level of control makes SSE-KMS particularly suitable for regulated industries or organizations with specific data governance requirements. When using SSE-KMS with customer managed keys, you have complete control over who can use the keys to encrypt and decrypt data. You can create detailed key policies that specify which users, roles, or services can access the keys. #### Important considerations for SSE-KMS + **KMS key format requirements:** S3 Vectors requires that you specify KMS keys using the full Amazon Resource Name (ARN) format. Key IDs or key aliases aren't supported. + **Service principal permissions:** When you use customer managed keys with S3 Vectors, you must explicitly grant permissions to the S3 Vectors service principal to use your KMS key. This requirement ensures that the service can encrypt and decrypt your data on your behalf. The service principal that requires access is `indexing.s3vectors.amazonaws.com`. **Example: KMS key policy for S3 Vectors** To use a customer managed KMS key with S3 Vectors, you must update your key policy to include permissions for the S3 Vectors service principal. Here's a comprehensive key policy example. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowS3VectorsServicePrincipal", "Effect": "Allow", "Principal": { "Service": "indexing.s3vectors.amazonaws.com" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:s3vectors:aws-region:123456789012:bucket/*" }, "StringEquals": { "aws:SourceAccount": "123456789012" }, "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": ["aws:s3vectors:arn", "aws:s3vectors:resource-id"] } } }, { "Sid": "AllowApplicationAccess", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam:123456789012:role/VectorApplicationRole", "arn:aws:iam:123456789012:user/DataScientist" ] }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "s3vectors.aws-region.amazonaws.com" }, "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": ["aws:s3vectors:arn", "aws:s3vectors:resource-id"] } } } ] } ``` + **Required KMS permissions:** + S3 Vectors service principal permission: + `kms:Decrypt` – Required by the S3 Vectors service principal (`indexing.s3vectors.amazonaws.com`) on your customer managed key to maintain and optimize the index in background operations + IAM principal permissions: + `kms:Decrypt` – Required for all vector-level operations ([PutVectors](https://docs.amazonaws.cn/AmazonS3/latest/API/API_S3VectorBuckets_PutVectors.html), [GetVectors](https://docs.amazonaws.cn/AmazonS3/latest/API/API_S3VectorBuckets_GetVectors.html), [QueryVectors](https://docs.amazonaws.cn/AmazonS3/latest/API/API_S3VectorBuckets_QueryVectors.html), [DeleteVectors](https://docs.amazonaws.cn/AmazonS3/latest/API/API_S3VectorBuckets_DeleteVectors.html), [ListVectors](https://docs.amazonaws.cn/AmazonS3/latest/API/API_S3VectorBuckets_ListVectors.html)) + `kms:GenerateDataKey` – Required to create a vector bucket by using the customer managed key + **Cross-account access considerations:** When implementing cross-account access patterns with SSE-KMS, you must ensure that the KMS key policy allows access from the appropriate principals in other accounts. The key ARN format becomes particularly important in cross-account scenarios, as it provides an unambiguous reference to the key regardless of the account context from which it's being accessed. # Setting encryption in S3 Vectors Setting encryption in S3 Vectors This topic explains how to set the encryption configuration for your S3 vector buckets and indexes. Before you begin, make sure you have the following: + Appropriate permissions to view bucket and index properties. ## Using the S3 console **To configure encryption for a vector bucket** 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the navigation pane, choose **Vector buckets**. 1. Choose **Create vector bucket**. 1. For **Bucket name**, enter a name for your bucket. The bucket name must: + Be unique within your account for this Amazon Region + Be between 3 and 63 characters long + Consist only of lowercase letters, numbers, and hyphens (-) 1. For **Encryption**, choose + **Specify encryption type** – Choose a specific encryption method: + **Server-side encryption with Amazon S3 managed keys (SSE-S3)** – With SSE-S3, Amazon S3 handles the generation, rotation, and management of encryption keys automatically. + **Server-side encryption with Amazon Key Management Service keys (SSE-KMS)** – Similar to SSE-S3, but uses customer managed keys (CMKs) in Amazon KMS, giving you more control over your keys. For more information about customer managed keys, see [Customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) in the *Amazon Key Management Service Developer Guide*. If you select this option, under **Amazon KMS key**, choose one of the following options: + **Choose from your Amazon KMS keys** – Select an existing KMS key from the dropdown list + **Enter Amazon KMS key ARN** – Enter the Amazon Resource Name (ARN) of a KMS key + **Create a KMS key** – Create a new customer managed key in the Amazon KMS console. For more information, see [Creating symmetric customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the *Amazon Key Management Service Developer Guide*. **Note** The following requirements apply to the KMS key: Amazon KMS key ID must not be empty Your KMS key must be in the same Region where this bucket is being created Amazon KMS key ARN must start with "arn:aws:kms:" **Important** Encryption settings can't be changed after the vector bucket is created. 1. If you chose **Enter Amazon KMS key ARN**, enter the ARN in the text field provided. 1. If you chose **Create a KMS key**, the console opens the Amazon KMS console in a new tab. For instructions on creating a KMS key, see [Creating symmetric customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the *Amazon Key Management Service Developer Guide*. 1. Choose **Create vector bucket**. **Important** When using KMS encryption, ensure that the IAM principals that need to access objects in the bucket have the necessary KMS permission (kms:Decrypt) for the selected KMS key. **To configure encryption for a vector index** 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the navigation pane, choose **Vector buckets**. 1. In the list of vector buckets, choose the name of the bucket where you want to create a vector index. 1. Choose **Create vector index**. 1. For **Vector index name**, enter a name for your vector index. Vector index names must be unique within the vector bucket. Index name must be between 3 and 63 characters. Valid characters are lowercase letters (a-z), numbers (0-9), hyphens (-), and dots (.). For more information about the vector index naming requirements, see [Vector bucket naming rules](s3-vectors-buckets-naming.md). 1. For **Dimension**, enter the number of values in each vector. **Note** The value for **Dimension** determines how many numerical values each vector will contain. All vectors added to this index must have exactly this number of values. Dimension must be between 1 and 4096. A larger dimension requires more storage space. Choose based on your embedding model's output dimensions. For more information about the dimension requirements, see [Limitations and restrictions](s3-vectors-limitations.md). 1. For **Distance metric**, choose one of the following options: + **Cosine** – Measures the cosine of the angle between vectors. Best for normalized vectors and when direction matters more than magnitude + **Euclidean** – Measures the straight-line distance between vectors. Best when both direction and magnitude are important. 1. (Optional) Under **Non-filterable metadata**, configure metadata keys that will be stored but not used for filtering: To add non-filterable metadata keys: 1. Choose **Add key**. 1. Enter a key name (1-63 characters and unique within this vector index). 1. Repeat to add additional keys (maximum 10 keys). **Note** You can attach filterable metadata as key-value pairs to each vector when you insert vector data after you create a vector index. By default, all metadata keys that are attached to vectors are filterable and can be used as filters in a similarity query. Only metadata keys that are specified as non-filterable during vector index creation are excluded from filtering. For more information about metadata size limits per vector, including both total and filterable metadata constraints, see [Limitations and restrictions](s3-vectors-limitations.md). 1. For **Encryption**, choose **Specify encryption type** and then choose one of the following options: + **Use bucket settings for encryption** – Amazon S3 applies the vector bucket encryption settings to encrypt vector data in the vector index. + **Override bucket settings for encryption** – Specify a specific encryption type for the vector index: + **Server-side encryption with Amazon S3 managed keys (SSE-S3)** – With SSE-S3, Amazon S3 handles the generation, rotation, and management of encryption keys automatically. + **Server-side encryption with Amazon Key Management Service keys (SSE-KMS)** – Similar to SSE-S3, but uses customer managed keys (CMKs) in Amazon KMS, giving you more control over your keys. For more information about customer managed keys, see [Customer managed keys](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#customer-cmk) in the *Amazon Key Management Service Developer Guide*. If you select this option, under **Amazon KMS key**, choose one of the following options: + **Choose from your Amazon KMS keys** – Select an existing KMS key from the dropdown list + **Enter Amazon KMS key ARN** – Enter the Amazon Resource Name (ARN) of a KMS key + **Create a KMS key** – Create a new customer managed key in the Amazon KMS console. For more information, see [Creating symmetric customer managed keys](https://docs.amazonaws.cn/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the *Amazon Key Management Service Developer Guide*. **Note** The following requirements apply to the KMS key: Amazon KMS key ID must not be empty. Your KMS key must be in the same Region where this bucket is being created. Amazon KMS key ARN must start with "arn:aws:kms:" **Important** Encryption settings can't be changed after the vector index is created. If you chose **Enter Amazon KMS key ARN**, enter the ARN in the text field provided. If you chose **Create a KMS key**, the console opens the Amazon KMS console in a new tab. For instructions on creating a KMS key, see *Creating symmetric customer managed keys* in the *Amazon Key Management Service Developer Guide*. **Important** When using KMS encryption, ensure that the IAM principals that need to access objects in the bucket have the necessary KMS permission (kms:Decrypt) for the selected KMS key. 1. Under **Tags (Optional)**, you can add tags as key-value pairs to help track and organize vector index costs using Amazon Billing and Cost Management. Enter a **Key** and a **Value**. To add another tag, choose **Add Tag**. You can enter up to 50 tags for a vector index. For more information, see [Using tags with S3 vector buckets](s3-vectors-tags.md). 1. Review your configuration carefully. **Note** These settings can't be changed after creation. 1. Choose **Create vector index**. ## Using the Amazon CLI The following example shows how to create a vector bucket with the SSE-S3 encryption configuration by using the Amazon CLI. To use this example, replace the *user input placeholders* with your own information. ``` aws s3vectors create-vector-bucket \ --vector-bucket-name "amzn-s3-demo-vector-bucket" \ --encryption-configuration '{"sseType": "AES256"}' ``` The following examples shows how to create a vector bucket that uses the SSE-KMS encryption configuration with a customer managed key. To use this example, replace the *user input placeholders* with your own information. ``` aws s3vectors create-vector-bucket \ --vector-bucket-name "amzn-s3-demo-vector-bucket" \ --encryption-configuration '{"sseType": "aws:kms", "kmsKeyArn": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"}' ``` The following example shows how to create a vector index with the SSE-S3 encryption configuration by using the Amazon CLI. To use this example, replace the *user input placeholders* with your own information. ``` aws s3vectors create-index \ --vector-bucket-name "amzn-s3-demo-vector-bucket" \ --index-name "amzn-s3-demo-vector-index" \ --encryption-configuration '{"sseType": "AES256"}' ``` The following examples shows how to create a vector index that uses the SSE-KMS encryption configuration with a customer managed key. To use this example, replace the *user input placeholders* with your own information. ``` aws s3vectors create-index \ --vector-bucket-name "amzn-s3-demo-vector-bucket" \ --index-name "amzn-s3-demo-vector-index" \ --encryption-configuration '{"sseType": "aws:kms", "kmsKeyArn": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890abc"}' ``` The following examples shows will create a vector index using the encryption settings of the vector bucket. To use this example, replace the *user input placeholders* with your own information. ``` aws s3vectors create-index \ --vector-bucket-name "amzn-s3-demo-vector-bucket" \ --index-name "amzn-s3-demo-vector-index" \ ``` # Viewing encryption configuration in S3 Vectors Viewing encryption configuration in S3 Vectors After creating your vector bucket, you can verify the encryption configuration using the console. Alternatively, you can use the GetVectorBucket and GetIndex API operations via the Amazon REST API, Amazon CLI, or Amazon SDKs. ## Using the Amazon CLI Use the `get-vector-bucket` command to retrieve detailed bucket information, including encryption configuration. To use this example, replace the *user input placeholders* with your own information. ``` aws s3vectors get-vector-bucket \ --vector-bucket-name amzn-s3-demo-vector-bucket ``` Use the `get-index` command to retrieve detailed vector index information, including encryption configuration. To use this example, replace the *user input placeholders* with your own information. ``` aws s3vectors get-index \ --vector-bucket-name amzn-s3-demo-vector-bucket --index-name amzn-s3-demo-vector-index ```