Is there any difference if I KMS encrypt a file and push that file to S3 bucket vs put the file to S3 bucket using SSE KMS encryption?
Asked
Active
Viewed 1.1k times
10
-
Still cannot understand when to use SSE-S3 and when to use KMS – rinilnath Jan 11 '23 at 07:12
1 Answers
8
First: the KMS Encrypt operation will only accept 4K of data, so it isn't a general solution.
With S3 server-side encryption, the S3 back-end will generate a key, use that key to encrypt the data, use KMS to encrypt the key, then store the encrypted data and the encrypted key. When you read the data it does the reverse: use KMS to decrypt the key, then use the decrypted key to decrypt the data.
You could implement the same thing yourself, storing the encrypted key in the S3 object's metadata. However, this means writing code to do the object encryption yourself, and unless you are familiar with encryption it's possible that you could make a mistake.
There are some limited use-cases for client-side encryption, but in those cases you'd be using an encryption key that's not provided by KMS.
guest
- 871
- 4
- 5
-
Thank you! This helps. When I decrypt the data is it sufficient if I pass the KMS ARN to S3 and will it return the decrypted file? – Punter Vicky May 03 '19 at 14:26
-
With SSE, S3 knows the key that was used to encrypt the file. As long as you have permission to use that key it will transparently decrypt during download. – guest May 03 '19 at 14:36
-
5The 4KB limit you refer to is the KMS limit on the size of keys that can be encrypted with a CMK. You use a CMK to generate and encrypt data *keys*, not the actual file's data. This is 'envelope encryption'. Each data file would have a unique data key, and that key is encrypted by the CMK. You can encrypt *any* amount of data with the data key. – jarmod May 03 '19 at 16:09
-
-
10Just commenting because your first statement, while true, might cause some readers to infer that they cannot encrypt files over 4KB. – jarmod May 03 '19 at 16:29