Encrypt objects stored by File Gateway in Amazon S3 - Amazon Storage Gateway
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encrypt objects stored by File Gateway in Amazon S3

S3 File Gateway supports the following methods of server-side encryption for the data that it stores in Amazon S3:

  • SSE-S3 — By default, all new objects uploaded to Amazon S3 buckets use server-side encryption with Amazon S3 managed keys. For more information, see Using server-side encryption with Amazon S3 managed keys in the Amazon Simple Storage Service User Guide.

  • SSE-KMS — You can configure your file share to use server-side encryption with Amazon Key Management Service (Amazon KMS) managed keys. Amazon KMS is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud. For more information, see What is Amazon Key Management Service? in the Amazon Key Management Service Developer Guide.

  • DSSE-KMS — Dual-layer server-side encryption with Amazon KMS keys applies two layers of encryption to objects when they are uploaded to Amazon S3. This helps fulfill compliance standards for multilayer encryption. For more information, see Using dual-layer server-side encryption with Amazon KMS keys in the Amazon Simple Storage Service User Guide.

    Note

    There are additional charges for using DSSE-KMS and Amazon KMS keys. For more information, see Amazon KMS pricing.

You can specify an encryption method when you create a new file share by using the Storage Gateway console or the Storage Gateway API. For console procedures, see Create an NFS file share with a custom configuration or Create an SMB file share with a custom configuration. For information about the corresponding API commands, see CreateNFSFileShare or CreateSMBFileShare in the Amazon Storage Gateway API Reference.

You can also update encryption settings for an existing file share using the Storage Gateway console, or the Storage Gateway API. For the console procedure, see Change the server-side encryption method for an existing file share. For information about the corresponding API commands, see UpdateNFSFileShare or UpdateSMBFileShare in the Amazon Storage Gateway API Reference.

Note

After you update the encryption method, the gateway uses the new method for all new objects it creates in Amazon S3 and for any stored objects that it updates or modifies in the future. Existing Amazon S3 objects will only receive the new encryption method if they are updated or modified by the gateway.

Important

Make sure that your file share uses the same encryption type as the Amazon S3 bucket where it stores your data.

If you configure your File Gateway to use SSE-KMS or DSSE-KMS for encryption, you must manually add kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey, and kms:DescribeKey permissions to the IAM role associated with the file share. For more information, see Using Identity-Based Policies (IAM Policies) for Storage Gateway.