Specifying server-side encryption with Amazon KMS (SSE-KMS) - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Specifying server-side encryption with Amazon KMS (SSE-KMS)

When you create an object, you can specify the use of server-side encryption with Amazon Key Management Service (Amazon KMS) keys to encrypt your data. This encryption is known as SSE-KMS. You can apply encryption when you are either uploading a new object or copying an existing object.

You can specify SSE-KMS using the Amazon S3 console, REST API operations, Amazon SDKs, and Amazon Command Line Interface (Amazon CLI). For more information, see the following topics.

Note

You can use multi-Region Amazon KMS keys in Amazon S3. However, Amazon S3 currently treats multi-Region keys as though they were single-Region keys, and does not use the multi-Region features of the key. For more information, see Using multi-Region keys in Amazon Key Management Service Developer Guide.

This topic describes how to set or change the type of encryption an object using the Amazon S3 console.

Note

If you change an object's encryption, a new object is created to replace the old one. If S3 Versioning is enabled, a new version of the object is created, and the existing object becomes an older version. The role that changes the property also becomes the owner of the new object or (object version).

To add or change encryption for an object

  1. Sign in to the Amazon Web Services Management Console and open the Amazon S3 console at https://console.amazonaws.cn/s3/.

  2. In the Buckets list, choose the name of the bucket that contains the object.

  3. In the Objects list, choose the name of the object that you want to add or change encryption for.

    The Object overview opens, displaying the properties for your object.

  4. Under Server-side encryption settings, choose Edit.

    The Edit server-side encryption page opens

  5. To enable server-side encryption for your object, under Server-side encryption, choose Enable.

  6. Under Encryption key type, choose Amazon Key Management Service key (SSE-KMS).

    Important

    If you use the Amazon KMS option for your default encryption configuration, you are subject to the RPS (requests per second) limits of Amazon KMS. For more information about Amazon KMS limits and how to request a limit increase, see Amazon KMS limits.

  7. Under Amazon KMS key, choose one of the following:

    • Amazon managed key (aws/s3)

    • Choose from your Amazon KMS keys, and choose your KMS key.

    • Enter KMS master key ARN, and enter your Amazon KMS key Amazon Resource Name (ARN).

    Important

    You can use only Amazon KMS keys that are enabled in the same Amazon Web Services Region as the bucket. When you choose Choose from your Amazon KMS keys, the S3 console lists only 100 KMS keys per Region. If you have more than 100 KMS keys in the same Region, you can see only the first 100 KMS keys in the S3 console. To use a KMS key that is not listed in the console, choose Custom KMS ARN, and enter the KMS key ARN.

    When you use an Amazon KMS key for server-side encryption in Amazon S3, you must choose a KMS key that is enabled in the same Region as your bucket. Additionally, Amazon S3 supports only symmetric encryption KMS keys, and not asymmetric KMS keys. For more information, see Using Symmetric and Asymmetric Keys in the Amazon Key Management Service Developer Guide.

    For more information about creating an Amazon KMS key, see Creating Keys in the Amazon Key Management Service Developer Guide. For more information about using Amazon KMS with Amazon S3, see Using server-side encryption with Amazon Key Management Service (SSE-KMS).

  8. Choose Save changes.

Note

This action applies encryption to all specified objects. When encrypting folders, wait for the save operation to finish before adding new objects to the folder.

When you create an object—that is, when you upload a new object or copy an existing object—you can specify the use of server-side encryption with Amazon KMS keys to encrypt your data. To do this, add the x-amz-server-side-encryption header to the request. Set the value of the header to the encryption algorithm aws:kms. Amazon S3 confirms that your object is stored using SSE-KMS by returning the response header x-amz-server-side-encryption.

If you specify the x-amz-server-side-encryption header with a value of aws:kms, you can also use the following request headers:

  • x-amz-server-side-encryption-aws-kms-key-id

  • x-amz-server-side-encryption-context

  • x-amz-server-side-encryption-bucket-key-enabled

Amazon S3 REST API operations that support SSE-KMS

The following REST API operations accept the x-amz-server-side-encryption, x-amz-server-side-encryption-aws-kms-key-id, and x-amz-server-side-encryption-context request headers.

  • PUT object— When you upload data using the PUT API operation, you can specify these request headers.

  • COPY object— When you copy an object, you have both a source object and a target object. When you pass SSE-KMS headers with the COPY operation, they are applied only to the target object. When copying an existing object, regardless of whether the source object is encrypted or not, the destination object is not encrypted unless you explicitly request server-side encryption.

  • POST Object— When you use a POST operation to upload an object, instead of the request headers, you provide the same information in the form fields.

  • Create Multipart Upload— When you upload large objects using the multipart upload API, you can specify these headers. You specify these headers in the initiate request.

The response headers of the following REST API operations return the x-amz-server-side-encryption header when an object is stored using server-side encryption.

Important
  • All GET and PUT requests for an object protected by Amazon KMS fail if you don't make them using Secure Sockets Layer (SSL), Transport Layer Security (TLS), or Signature Version 4.

  • If your object uses SSE-KMS, don't send encryption request headers for GET requests and HEAD requests, or you’ll get an HTTP 400 BadRequest error.

Encryption context (x-amz-server-side-encryption-context)

If you specify x-amz-server-side-encryption:aws:kms, the Amazon S3 API supports an encryption context with the x-amz-server-side-encryption-context header. An encryption context is a set of key-value pairs that contain additional contextual information about the data.

Amazon S3 automatically uses the object or bucket Amazon Resource Name (ARN) as the encryption context pair. If you use SSE-KMS without enabling an S3 Bucket Key, you use the object ARN as your encryption context, for example, arn:aws:s3:::object_ARN. However, if you use SSE-KMS and enable an S3 Bucket Key, you use the bucket ARN for your encryption context, for example, arn:aws:s3:::bucket_ARN.

You can optionally provide an additional encryption context pair using the x-amz-server-side-encryption-context header. However, because the encryption context is not encrypted, make sure it does not include sensitive information. Amazon S3 stores this additional key pair alongside the default encryption context.

For information about the encryption context in Amazon S3, see Encryption context. For general information about the encryption context, see Amazon Key Management Service Concepts - Encryption context in the Amazon Key Management Service Developer Guide.

Amazon KMS key ID (x-amz-server-side-encryption-aws-kms-key-id)

You can use the x-amz-server-side-encryption-aws-kms-key-id header to specify the ID of the customer managed key used to protect the data. If you specify x-amz-server-side-encryption:aws:kms, but don't provide x-amz-server-side-encryption-aws-kms-key-id, Amazon S3 uses the Amazon managed key to protect the data. If you want to use a customer managed key, you must provide the x-amz-server-side-encryption-aws-kms-key-id header of the customer managed key.

Important

When you use an Amazon KMS key for server-side encryption in Amazon S3, you must choose a symmetric encryption KMS key. Amazon S3 supports only symmetric encryption KMS keys and not asymmetric keys. For more information, see Using Symmetric and Asymmetric Keys in the Amazon Key Management Service Developer Guide.

S3 Bucket Keys (x-amz-server-side-encryption-aws-bucket-key-enabled)

You can use the x-amz-server-side-encryption-aws-bucket-key-enabled request header to enable or disable an S3 Bucket Key at the object-level. S3 Bucket Keys can reduce your Amazon KMS request costs by decreasing the request traffic from Amazon S3 to Amazon KMS. For more information, see Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys.

If you specify x-amz-server-side-encryption:aws:kms, but don't provide x-amz-server-side-encryption-aws-bucket-key-enabled, your object uses the S3 Bucket Key settings for the destination bucket to encrypt your object. For more information, see Configuring an S3 Bucket Key at the object level using Batch Operations, REST API, Amazon SDKs, or Amazon CLI.

When using Amazon SDKs, you can request Amazon S3 to use Amazon KMS keys. This section provides examples of using the Amazon SDKs for Java and .NET. For information about other SDKs, go to Sample Code and Libraries.

Important

When you use an Amazon KMS key for server-side encryption in Amazon S3, you must choose a symmetric encryption KMS key. Amazon S3 supports only symmetric encryption KMS keys and not asymmetric keys. For more information, see Using Symmetric and Asymmetric Keys in the Amazon Key Management Service Developer Guide.

Copy operation

When copying objects, you add the same request properties (ServerSideEncryptionMethod and ServerSideEncryptionKeyManagementServiceKeyId) to request Amazon S3 to use an Amazon KMS key. For more information about copying objects, see Copying objects.

Put operation

Java

When uploading an object using the Amazon SDK for Java, you can request Amazon S3 to use an Amazon KMS key by adding the SSEAwsKeyManagementParams property as shown in the following request.

PutObjectRequest putRequest = new PutObjectRequest(bucketName, keyName, file).withSSEAwsKeyManagementParams(new SSEAwsKeyManagementParams());

In this case, Amazon S3 uses the Amazon managed key (see Using server-side encryption with Amazon Key Management Service (SSE-KMS). You can optionally create a symmetric encryption KMS key and specify that in the request.

PutObjectRequest putRequest = new PutObjectRequest(bucketName, keyName, file).withSSEAwsKeyManagementParams(new SSEAwsKeyManagementParams(keyID));

For more information about creating customer managed keys, see Programming the Amazon KMS API in the Amazon Key Management Service Developer Guide.

For working code examples of uploading an object, see the following topics. You will need to update those code examples and provide encryption information as shown in the preceding code fragment.

.NET

When uploading an object using the Amazon SDK for .NET, you can request Amazon S3 to use an Amazon KMS key by adding the ServerSideEncryptionMethod property as shown in the following request.

PutObjectRequest putRequest = new PutObjectRequest { BucketName = bucketName, Key = keyName, // other properties. ServerSideEncryptionMethod = ServerSideEncryptionMethod.AWSKMS };

In this case, Amazon S3 uses the Amazon managed key. For more information, see Using server-side encryption with Amazon Key Management Service (SSE-KMS). You can optionally create your own symmetric encryption customer managed key and specify that in the request.

PutObjectRequest putRequest1 = new PutObjectRequest { BucketName = bucketName, Key = keyName, // other properties. ServerSideEncryptionMethod = ServerSideEncryptionMethod.AWSKMS, ServerSideEncryptionKeyManagementServiceKeyId = keyId };

For more information about creating customer managed keys, see Programming the Amazon KMS API in the Amazon Key Management Service Developer Guide.

For working code examples of uploading an object, see the following topics. You will need to update these code examples and provide encryption information as shown in the preceding code fragment.

Presigned URLs

Java

When creating a presigned URL for an object encrypted with an Amazon KMS key, you must explicitly specify Signature Version 4.

ClientConfiguration clientConfiguration = new ClientConfiguration(); clientConfiguration.setSignerOverride("AWSS3V4SignerType"); AmazonS3Client s3client = new AmazonS3Client( new ProfileCredentialsProvider(), clientConfiguration); ...

For a code example, see Sharing objects using presigned URLs.

.NET

When creating a presigned URL for an object encrypted with an Amazon KMS key, you must explicitly specify Signature Version 4.

AWSConfigs.S3Config.UseSignatureVersion4 = true;

For a code example, see Sharing objects using presigned URLs.