Amazon S3 Specific one zonea single, high-performance availability zone (AZ) S3 storage class, now helps server-side encryption with AWS Key Administration Service (KMS) keys (SSE-KMS). S3 Specific One Zone already encrypts all objects saved in S3 listing buckets with Amazon S3 Managed Keys (SSE-S3) default. Beginning right now you should use AWS KMS Buyer Managed Keys to encrypt knowledge at relaxation, with no efficiency influence. This new encryption functionality provides you a further choice to fulfill regulatory and compliance necessities while you use S3 Specific One Zone, which is designed to supply fixed single-digit millisecond knowledge entry for the information you entry most continuously. frequency and latency-sensitive functions.
S3 listing buckets let you specify just one customer-managed key per bucket for SSE-KMS encryption. As soon as the customer-managed secret is added, you can’t edit it to make use of a brand new key. Then again, with S3 general-purpose buckets, you should use a number of KMS keys both by altering the bucket’s default encryption settings or throughout S3 PUT requests. When utilizing SSE-KMS with S3 Specific One Zone, S3 dice keys They’re all the time enabled. S3 Bucket Keys are free and cut back the variety of requests to AWS KMS by as much as 99%, optimizing each efficiency and prices.
Utilizing SSE-KMS with Amazon S3 Specific One Zone
To indicate you this new functionality in motion, I first create an S3 listing bucket on the Amazon S3 Console following the steps to create an S3 listing bucket and use apne1-az4 like him Availability zone. In Fundamental identifyI enter s3express-kms after which a suffix that features the provision zone ID is mechanically added to create the ultimate identify. Then, I choose the checkbox to acknowledge that Information is saved in a single availability zone adopted by Create deposit.
Now we are going to see use the AWS Command Line Interface (AWS CLI) to configure encryption on the bucket we simply created.
To make use of SSE-KMS with S3 Specific One Zone by way of the AWS CLI, you want a AWS Identification and Entry Administration (IAM) Consumer both position with the next coverage . This coverage permits the Create session API operation, which is required to efficiently add and obtain encrypted recordsdata to and out of your S3 listing bucket.
I will use PutBucketEncryption API to configure my default deposit encryption to SSE-KMS. Beneath is an instance of the AWS CLI:
aws s3api put-bucket-encryption
--bucket s3express-kms--apne1-az4--x-s3
--server-side-encryption-configuration
'{"Guidelines": ({"ApplyServerSideEncryptionByDefault":
{"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"BucketKeyEnabled":true})}'Any new objects I add to this S3 listing bucket shall be mechanically encrypted utilizing my AWS KMS key. With the PutObject command, I add a brand new file referred to as confidential-doc.txt to my S3 listing bucket.
Because of the success of the above command, I obtain the next output:
Examine object properties with Fundamental object command, I see that it’s encrypted utilizing SSE-KMS with the important thing I created earlier than:
I get the next outcome:
I obtain the encrypted object with GetObject:
Since my session has the required permissions, the article is mechanically downloaded and decrypted.
For this second take a look at, I take advantage of a unique IAM person with a coverage that’s not granted the KMS key permissions required to obtain the article. This try fails with a Entry denied error, proving that SSE-KMS encryption works as supposed.
This demo exhibits how SSE-KMS works seamlessly with S3 Specific One Zone, offering a further layer of safety whereas sustaining ease of use for licensed customers.
Issues you must know
Getting began – You may allow SSE-KMS for S3 Specific One Zone utilizing the AWS CLI or the AWS SDKs. Set your S3 listing bucket’s default encryption settings to SSE-KMS and specify your AWS KMS key. Keep in mind, you possibly can solely use one customer-managed key per S3 listing bucket throughout its lifetime.
Areas – S3 Specific One Zone assist for SSE-KMS utilizing buyer managed keys is obtainable on all AWS Areas the place S3 Specific One Zone is presently out there.
Efficiency – Utilizing SSE-KMS with S3 Specific One Zone doesn’t have an effect on request latency. You’ll proceed to expertise the identical single digit knowledge entry in milliseconds.
Costs – Pay AWS KMS fees to generate and recuperate knowledge keys used for encryption and decryption. Go to the AWS KMS Pricing Web page for extra particulars. Moreover, when utilizing SSE-KMS with S3 Specific One Zone, S3 bucket keys are enabled by default for all knowledge airplane operations besides CopyObject and LoadPartCopyand can’t be disabled. This reduces the variety of requests to AWS KMS by as much as 99%, optimizing each efficiency and prices.
AWS CloudTrail Integration – You may audit SSE-KMS actions on S3 Specific One Zone objects utilizing AWS CloudTrail. Be taught extra about that at my earlier weblog publish.
– Eli.
Up to date September 19, 2024 – Up to date the CLI instance to set default encryption for an present bucket as a substitute of the console.
