Amazon S3 Express One Zone, a high-performance, single-Availability Zone (AZ) S3 storage type, now supports server-side encryption using Amazon Key Management Service (KMS) keys (SSE-KMS). By default, S3 Express One Zone encrypts all files stored in S3 directory buckets using Amazon S3 management keys (SSE-S3). As of right now, AWS KMS customer maintained keys may be used to encrypt data that is at rest without compromising performance. You may utilize S3 Express One Zone, which is designed to enable dependable single-digit millisecond data access for your most frequently accessed data and latency-sensitive applications, to further fulfill compliance and regulatory criteria, with the aid of this new encryption function.
S3 directory buckets allow you to establish a single customer controlled key per bucket for SSE-KMS encryption. After inserting the customer controlled key, you are unable to alter it to use a different key. On the other hand, you may utilize several KMS keys with S3 PUT requests or by changing the default encryption settings of the bucket when using S3 general purpose buckets. SSE-KMS with S3 Express One Zone always has S3 Bucket Keys enabled. AWS KMS queries may be reduced by up to 99% using free S3 bucket keys, increasing productivity and cutting costs.
Making use of SSE-KMS and Amazon S3 Express One Zone
To show you this new capabilities, first create an S3 directory bucket in the Amazon S3 interface by following the instructions. You may use the Availability Zone apne1-az4. The Availability Zone ID is automatically added to the s3express-kms suffix, which you give in the Base name, to create the final name. Next, select the relevant item to ensure that Data is kept in a single Availability Zone.
Under Default encryption, choose Server-side encryption using AWS Key Management Service keys (SSE-KMS). Under AWS KMS Key, you have three options: Choose from your AWS KMS keys, Create a KMS key, or Enter AWS KMS key ARN. In this instance, you choose Create bucket from a list of AWS KMS keys that have already been established.
With my Amazon KMS key, you can now use it to automatically encrypt each new item you submit to this S3 directory bucket.
SSE-KMS using Amazon S3 Express One Zone for operation
To utilize SSE-KMS with S3 Express One Zone using the AWS Command Line Interface (AWS CLI), you need an AWS Identity and Access Management (IAM) user or role with the following policy. This policy allows the CreateSession API function to be used to successfully upload and receive encrypted data to and from your S3 directory bucket.
It is possible to verify that the object is encrypted using SSE-KMS and my previously produced key by using the HeadObject command to see its properties:
To download the encrypted object, use GetObject:
Because you have the necessary privileges for your session, the item downloads and decrypts itself.
To download the item for this second test, use a different IAM user with a policy that prevents them from having the necessary KMS key access. The Access Denied error that appears during this attempt indicates that the SSE-KMS encryption is working as intended.
Vital details
Starting the procedure SSE-KMS for S3 Express One Zone may be enabled using the Amazon S3 interface, AWS CLI, or AWS SDKs. Set the S3 directory bucket's default encryption to SSE-KMS and provide your AWS KMS key. Remember that a single customer-controlled key may be used for the duration of an S3 directory bucket.
Regions: Support for SSE-KMS using customer-managed keys is available in all AWS Regions where S3 Express One Zone is currently available.
Performance: Using SSE-KMS with S3 Express One Zone has no impact on request latency. You will have access to the same single-digit millisecond data access.
Pricing: You must pay AWS KMS costs in order to produce and recover the data keys needed for encryption and decryption. Check out the AWS KMS price page for further details. Moreover, when using SSE-KMS with S3 Express One Zone, S3 Bucket Keys are automatically enabled for all data plane operations except CopyObject and UploadPartCopy, and they cannot be disabled. This reduces the amount of AWS KMS requests by up to 99%, increasing efficiency and lowering costs.
0 Comments