Amazon S3 Categorical One Zone now helps AWS KMS with buyer managed keys -

Amazon S3 Categorical One Zone, a high-performance, single-Availability Zone (AZ) S3 storage class, now helps server-side encryption with AWS Key Administration Service (KMS) keys (SSE-KMS). S3 Categorical One Zone already encrypts all objects saved in S3 listing buckets with Amazon S3 managed keys (SSE-S3) by default. Beginning at present, you need to use AWS KMS buyer managed keys to encrypt information at relaxation, with no impression on efficiency. This new encryption functionality provides you an extra possibility to fulfill compliance and regulatory necessities when utilizing S3 Categorical One Zone, which is designed to ship constant single-digit millisecond information entry on your most ceaselessly accessed information and latency-sensitive functions.

S3 listing buckets assist you to specify just one buyer managed key per bucket for SSE-KMS encryption. As soon as the client managed secret’s added, you can not edit it to make use of a brand new key. However, with S3 normal goal buckets, you need to use a number of KMS keys both by altering the default encryption configuration of the bucket or throughout S3 PUT requests. When utilizing SSE-KMS with S3 Categorical One Zone, S3 Bucket Keys are at all times enabled. S3 Bucket Keys are free and cut back the variety of requests to AWS KMS by as much as 99%, optimizing each efficiency and prices.

Utilizing SSE-KMS with Amazon S3 Categorical One Zone
To indicate you this new functionality in motion, I first create an S3 listing bucket within the Amazon S3 console following the steps to create a S3 listing bucket and use apne1-az4 because the Availability Zone. In Base title, I enter s3express-kms and a suffix that features the Availability Zone ID wich is mechanically added to create the ultimate title. Then, I choose the checkbox to acknowledge that Knowledge is saved in a single Availability Zone.

Within the Default encryption part, I select Server-side encryption with AWS Key Administration Service keys (SSE-KMS). Below AWS KMS Key I can Select out of your AWS KMS keys, Enter AWS KMS key ARN, or Create a KMS key. For this instance, I beforehand created an AWS KMS key, which I chosen from the checklist, after which select Create bucket.

Now, any new object I add to this S3 listing bucket shall be mechanically encrypted utilizing my AWS KMS key.

SSE-KMS with Amazon S3 Categorical One Zone in motion
To make use of SSE-KMS with S3 Categorical One Zone through the AWS Command Line Interface (AWS CLI), you want an AWS Id and Entry Administration (IAM) consumer or function with the next coverage . This coverage permits the CreateSession API operation, which is critical to efficiently add and obtain encrypted information to and out of your S3 listing bucket.

{
	"Model": "2012-10-17",
	"Assertion": [
		{
			"Effect": "Allow",
			"Action": [
				"s3express:CreateSession"
			],
			"Useful resource": [
				"arn:aws:s3express:*:<account>:bucket/s3express-kms--apne1-az4--x-s3"
			]
		},
		{
			"Impact": "Permit",
			"Motion": [
				"kms:Decrypt",
				"kms:GenerateDataKey"
			],
			"Useful resource": [
				"arn:aws:kms:*:<account>:key/<keyId>"
			]
		}
	]
}

With the PutObject command, I add a brand new file named confidential-doc.txt to my S3 listing bucket.

aws s3api put-object --bucket s3express-kms--apne1-az4--x-s3 
--key confidential-doc.txt 
--body confidential-doc.txt

As successful of the earlier command I obtain the next output:

{
    "ETag": ""664469eeb92c4218bbdcf92ca559d03b"",
    "ChecksumCRC32": "0duteA==",
    "ServerSideEncryption": "aws:kms",
    "SSEKMSKeyId": "arn:aws:kms:ap-northeast-1:<accountId>:key/<keyId>",
    "BucketKeyEnabled": true
}

Checking the article’s properties with HeadObject command, I see that it’s encrypted utilizing SSE-KMS with the important thing that I created earlier than:

aws s3api head-object --bucket s3express-kms--apne1-az4--x-s3 
--key confidential-doc.txt

I get the next output:

 
{
    "AcceptRanges": "bytes",
    "LastModified": "2024-08-21T15:29:22+00:00",
    "ContentLength": 5,
    "ETag": ""664469eeb92c4218bbdcf92ca559d03b"",
    "ContentType": "binary/octet-stream",
    "ServerSideEncryption": "aws:kms",
    "Metadata": {},
    "SSEKMSKeyId": "arn:aws:kms:ap-northeast-1:<accountId>:key/<keyId>",
    "BucketKeyEnabled": true,
    "StorageClass": "EXPRESS_ONEZONE"
}

I obtain the encrypted object with GetObject:

aws s3api get-object --bucket s3express-kms--apne1-az4--x-s3 
--key confidential-doc.txt output-confidential-doc.txt

As my session has the mandatory permissions, the article is downloaded and decrypted mechanically.

{
    "AcceptRanges": "bytes",
    "LastModified": "2024-08-21T15:29:22+00:00",
    "ContentLength": 5,
    "ETag": ""664469eeb92c4218bbdcf92ca559d03b"",
    "ContentType": "binary/octet-stream",
    "ServerSideEncryption": "aws:kms",
    "Metadata": {},
    "SSEKMSKeyId": "arn:aws:kms:ap-northeast-1:<accountId>:key/<keyId>",
    "BucketKeyEnabled": true,
    "StorageClass": "EXPRESS_ONEZONE"
}

For this second check, I exploit a distinct IAM consumer with a coverage that’s not granted the mandatory KMS key permissions to obtain the article. This try fails with an AccessDenied error, demonstrating that the SSE-KMS encryption is functioning as meant.

An error occurred (AccessDenied) when calling the CreateSession operation: Entry Denied

This demonstration reveals how SSE-KMS works seamlessly with S3 Categorical One Zone, offering an extra layer of safety whereas sustaining ease of use for licensed customers.

Issues to know
Getting began – You’ll be able to allow SSE-KMS for S3 Categorical One Zone utilizing the Amazon S3 console, AWS CLI, or AWS SDKs. Set the default encryption configuration of your S3 listing bucket to SSE-KMS and specify your AWS KMS key. Bear in mind, you may solely use one buyer managed key per S3 listing bucket for its lifetime.

Areas – S3 Categorical One Zone help for SSE-KMS utilizing buyer managed keys is accessible in all AWS Areas the place S3 Categorical One Zone is at present accessible.

Efficiency – Utilizing SSE-KMS with S3 Categorical One Zone doesn’t impression request latency. You’ll proceed to expertise the identical single-digit millisecond information entry.

Pricing – You pay AWS KMS costs to generate and retrieve information keys used for encryption and decryption. Go to the AWS KMS pricing web page for extra particulars. As well as, when utilizing SSE-KMS with S3 Categorical One Zone, S3 Bucket Keys are enabled by default for all information airplane operations aside from CopyObject and UploadPartCopy, and might’t be disabled. This reduces the variety of requests to AWS KMS by as much as 99%, optimizing each efficiency and prices.

AWS CloudTrail integration – You’ll be able to audit SSE-KMS actions on S3 Categorical One Zone objects utilizing AWS CloudTrail. Be taught extra about that in my earlier weblog submit.

– Eli.

Amazon S3 Categorical One Zone now helps AWS KMS with buyer managed keys

Leave a Reply Cancel reply

Earth-abundant Li-ion cathode supplies with nanoengineered microstructures

IEEE-USA’s New Information Helps Corporations Navigate AI Dangers

Ivanti warns of one other essential CSA flaw exploited in assaults

Unified Communications Convention 2024: Simply 2 weeks to go till the main telecommunications occasion in Amsterdam

Unusual Visible Auras Might Maintain the Key to Higher Migraine Remedies

Earth-abundant Li-ion cathode supplies with nanoengineered microstructures

IEEE-USA’s New Information Helps Corporations Navigate AI Dangers

Ivanti warns of one other essential CSA flaw exploited in assaults

Unified Communications Convention 2024: Simply 2 weeks to go till the main telecommunications occasion in Amsterdam