Amazon S3 Specific One Zone now helps AWS KMS with buyer managed keys

22 September 2024

47

Amazon S3 Specific One Zone, a high-performance, single-Availability Zone (AZ) S3 storage class, now helps server-side encryption with AWS Key Administration Service (KMS) keys (SSE-KMS). S3 Specific One Zone already encrypts all objects saved in S3 listing buckets with Amazon S3 managed keys (SSE-S3) by default. Beginning immediately, you should utilize AWS KMS buyer managed keys to encrypt knowledge at relaxation, with no impression on efficiency. This new encryption functionality provides you a further possibility to fulfill compliance and regulatory necessities when utilizing S3 Specific One Zone, which is designed to ship constant single-digit millisecond knowledge entry in your most often accessed knowledge and latency-sensitive purposes.

S3 listing buckets let you specify just one buyer managed key per bucket for SSE-KMS encryption. As soon as the shopper managed secret’s added, you can not edit it to make use of a brand new key. Then again, with S3 common goal buckets, you should utilize a number of KMS keys both by altering the default encryption configuration of the bucket or throughout S3 PUT requests. When utilizing SSE-KMS with S3 Specific One Zone, S3 Bucket Keys are all the time enabled. S3 Bucket Keys are free and cut back the variety of requests to AWS KMS by as much as 99%, optimizing each efficiency and prices.

Utilizing SSE-KMS with Amazon S3 Specific One Zone
To point out you this new functionality in motion, I first create an S3 listing bucket within the Amazon S3 console following the steps to create a S3 listing bucket and use apne1-az4 because the Availability Zone. In Base title, I enter s3express-kms after which a suffix that features the Availability Zone ID is mechanically added to create the ultimate title. Then, I choose the checkbox to acknowledge that Information is saved in a single Availability Zone adopted by Create bucket.

Now we’ll stroll by utilizing the AWS Command Line Interface (AWS CLI) to arrange encryption on the bucket we simply created.

To make use of SSE-KMS with S3 Specific One Zone through the AWS CLI, you want an AWS Identification and Entry Administration (IAM) consumer or function with the next coverage . This coverage permits the CreateSession API operation, which is critical to efficiently add and obtain encrypted recordsdata to and out of your S3 listing bucket.

{
   "Model": "2012-10-17",
   "Assertion": [
	{
	   "Effect": "Allow",
	   "Action": [
		"s3express:CreateSession"
		 ],
	   "Useful resource": [
		"arn:aws:s3express:*:<account>:bucket/s3express-kms--apne1-az4--x-s3"
		]
		},
	    {
		"Impact": "Permit",
		"Motion": [
			"kms:Decrypt",
			"kms:GenerateDataKey"
			],
		"Useful resource": [
			"arn:aws:kms:*:<account>:key/<keyId>"
			]
	    }
   ]
}

I’ll use PutBucketEncryption API to set my default bucket encryption to SSE-KMS. Right here is an instance of the AWS CLI:

aws s3api put-bucket-encryption 
--bucket s3express-kms--apne1-az4--x-s3 
--server-side-encryption-configuration 
  '{"Guidelines": [{"ApplyServerSideEncryptionByDefault":
   {"SSEAlgorithm": "aws:kms", 
    "KMSMasterKeyID": "1234abcd-12ab-34cd-56ef-1234567890ab"
   },
  "BucketKeyEnabled":true}]}'

Any new object I add to this S3 listing bucket can be mechanically encrypted utilizing my AWS KMS key. With the PutObject command, I add a brand new file named confidential-doc.txt to my S3 listing bucket.

aws s3api put-object --bucket s3express-kms--apne1-az4--x-s3 
--key confidential-doc.txt 
--body confidential-doc.txt

As a hit of the earlier command I obtain the next output:

{
    "ETag": ""664469eeb92c4218bbdcf92ca559d03b"",
    "ChecksumCRC32": "0duteA==",
    "ServerSideEncryption": "aws:kms",
    "SSEKMSKeyId": "arn:aws:kms:ap-northeast-1:<accountId>:key/<keyId>",
    "BucketKeyEnabled": true
}

Checking the thing’s properties with HeadObject command, I see that it’s encrypted utilizing SSE-KMS with the important thing that I created earlier than:

aws s3api head-object --bucket s3express-kms--apne1-az4--x-s3 
--key confidential-doc.txt

I get the next output:

 
{
    "AcceptRanges": "bytes",
    "LastModified": "2024-08-21T15:29:22+00:00",
    "ContentLength": 5,
    "ETag": ""664469eeb92c4218bbdcf92ca559d03b"",
    "ContentType": "binary/octet-stream",
    "ServerSideEncryption": "aws:kms",
    "Metadata": {},
    "SSEKMSKeyId": "arn:aws:kms:ap-northeast-1:<accountId>:key/<keyId>",
    "BucketKeyEnabled": true,
    "StorageClass": "EXPRESS_ONEZONE"
}

I obtain the encrypted object with GetObject:

aws s3api get-object --bucket s3express-kms--apne1-az4--x-s3 
--key confidential-doc.txt output-confidential-doc.txt

As my session has the required permissions, the thing is downloaded and decrypted mechanically.

{
    "AcceptRanges": "bytes",
    "LastModified": "2024-08-21T15:29:22+00:00",
    "ContentLength": 5,
    "ETag": ""664469eeb92c4218bbdcf92ca559d03b"",
    "ContentType": "binary/octet-stream",
    "ServerSideEncryption": "aws:kms",
    "Metadata": {},
    "SSEKMSKeyId": "arn:aws:kms:ap-northeast-1:<accountId>:key/<keyId>",
    "BucketKeyEnabled": true,
    "StorageClass": "EXPRESS_ONEZONE"
}

For this second check, I exploit a distinct IAM consumer with a coverage that isn’t granted the required KMS key permissions to obtain the thing. This try fails with an AccessDenied error, demonstrating that the SSE-KMS encryption is functioning as supposed.

An error occurred (AccessDenied) when calling the CreateSession operation: Entry Denied

This demonstration reveals how SSE-KMS works seamlessly with S3 Specific One Zone, offering a further layer of safety whereas sustaining ease of use for licensed customers.

Issues to know
Getting began – You may allow SSE-KMS for S3 Specific One Zone utilizing the AWS CLI or AWS SDKs. Set the default encryption configuration of your S3 listing bucket to SSE-KMS and specify your AWS KMS key. Keep in mind, you may solely use one buyer managed key per S3 listing bucket for its lifetime.

Areas – S3 Specific One Zone assist for SSE-KMS utilizing buyer managed keys is out there in all AWS Areas the place S3 Specific One Zone is at present accessible.

Efficiency – Utilizing SSE-KMS with S3 Specific One Zone doesn’t impression request latency. You’ll proceed to expertise the identical single-digit millisecond knowledge entry.

Pricing – You pay AWS KMS costs to generate and retrieve knowledge keys used for encryption and decryption. Go to the AWS KMS pricing web page for extra particulars. As well as, when utilizing SSE-KMS with S3 Specific One Zone, S3 Bucket Keys are enabled by default for all knowledge airplane operations apart from CopyObject and UploadPartCopy, and may’t be disabled. This reduces the variety of requests to AWS KMS by as much as 99%, optimizing each efficiency and prices.

AWS CloudTrail integration – You may audit SSE-KMS actions on S3 Specific One Zone objects utilizing AWS CloudTrail. Be taught extra about that in my earlier weblog publish.

– Eli.

Up to date on September 19, 2024 – We up to date the CLI instance to configure default encryption for an present bucket as an alternative of the console.

Amazon S3 Specific One Zone now helps AWS KMS with buyer managed keys

Related Articles

How one can arrange two-factor authentication to your Apple Account and iCloud

iphone – Contacts disappeared after re-authenticating with Outlook/Trade

New Intel CEO Lip-Bu Tan Guarantees Return to Engineering Innovation in Main Handle

LEAVE A REPLY Cancel reply

Latest Articles

How one can arrange two-factor authentication to your Apple Account and iCloud

iphone – Contacts disappeared after re-authenticating with Outlook/Trade

New Intel CEO Lip-Bu Tan Guarantees Return to Engineering Innovation in Main Handle

Meet the AWS Information Weblog staff!

Equal Elements Launches with $10M to Revolutionize Impartial Insurance coverage Via AI and Human Connection