How Amazon Simple Storage Service (Amazon S3) uses Amazon KMS - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

How Amazon Simple Storage Service (Amazon S3) uses Amazon KMS

Amazon Simple Storage Service (Amazon S3) is an object storage service that stores data as objects within buckets. Buckets and the objects in them are private and can be accessed only if you explicitly grant access permissions.

Amazon S3 integrates with Amazon Key Management Service (Amazon KMS) to provide server-side encryption of Amazon S3 objects. Amazon S3 uses Amazon KMS keys to encrypt your Amazon S3 objects. The encryption keys that protect your objects never leave Amazon KMS unencrypted. This integration also enables you to set permissions on the Amazon KMS key and audit the operations that generate, encrypt, and decrypt the data keys that protect your secrets.

To reduce the volume of Amazon S3 calls to Amazon KMS, use Amazon S3 bucket keys, which are KMS key-protected key-encryption-keys that are reused for a limited time within Amazon S3. Bucket keys can reduce costs for Amazon KMS requests by up to 99 percent. You can configure a bucket key for all objects in an Amazon S3 bucket, or for a particular object in an Amazon S3 bucket.

For more information about how Amazon S3 uses Amazon KMS, see Protecting data using server-side encryption with KMS keys (SSE-KMS) in the Amazon S3 User Guide.