|
Today, we’re launching Amazon S3 dual-layer server-side encryption with keys saved in AWS Key Management Service (DSSE-KMS), a brand new encryption possibility in Amazon S3 that applies two layers of encryption to things when they’re uploaded to an Amazon Simple Storage Service (Amazon S3) bucket. DSSE-KMS is designed to satisfy National Security Agency CNSSP 15 for FIPS compliance and Data-at-Rest Capability Package (DAR CP) Version 5.0 steering for 2 layers of CNSA encryption. Using DSSE-KMS, you may fulfill regulatory necessities to use a number of layers of encryption to your knowledge.
Amazon S3 is the one cloud object storage service the place prospects can apply two layers of encryption on the object degree and management the information keys used for each layers. DSSE-KMS makes it simpler for extremely regulated prospects to meet rigorous safety requirements, comparable to US Department of Defense (DoD) prospects.
With DSSE-KMS, you may specify dual-layer server-side encryption (DSSE) within the PUT or COPY request for an object or configure your S3 bucket to use DSSE to all new objects by default. You can even implement DSSE-KMS utilizing IAM and bucket insurance policies. Each layer of encryption makes use of a separate cryptographic implementation library with particular person knowledge encryption keys. DSSE-KMS helps shield delicate knowledge in opposition to the low chance of a vulnerability in a single layer of cryptographic implementation.
DSSE-KMS simplifies the method of making use of two layers of encryption to your knowledge, with out having to put money into infrastructure required for client-side encryption. Each layer of encryption makes use of a unique implementation of the 256-bit Advanced Encryption Standard with Galois Counter Mode (AES-GCM) algorithm. DSSE-KMS makes use of the AWS Key Management Service (AWS KMS) to generate knowledge keys, permitting you to manage your buyer managed keys by setting permissions per key and specifying key rotation schedules. With DSSE-KMS, now you can question and analyze your dual-encrypted knowledge with AWS providers comparable to Amazon Athena, Amazon SageMaker, and extra.
With this launch, Amazon S3 now affords 4 choices for server-side encryption:
- Server-side encryption with Amazon S3 managed keys (SSE-S3)
- Server-side encryption with AWS KMS (SSE-KMS)
- Server-side encryption with customer-provided encryption keys (SSE-C)
- Dual-layer server-side encryption with keys saved in KMS (DSSE-KMS)
Let’s see how DSSE-KMS works in apply.
Create an S3 Bucket and Turn on DSSE-KMS
To create a brand new bucket within the Amazon S3 console, I select Buckets within the navigation pane. I select Create bucket, and I choose a novel and significant title for the bucket. Under Default encryption part, I select DSSE-KMS because the encryption possibility. From the out there AWS KMS keys, I choose a key for my necessities. Finally, I select Create bucket to finish the creation of the S3 bucket, encrypted by DSSE-KMS encryption settings.
Upload an Object to the DSSE-SSE enabled S3 Bucket
In the Buckets record, I select the title of the bucket that I wish to add an object to. On the Objects tab for the bucket, I select Upload. Under Files and folders, I select Add information. I then select a file to add, after which select Open. Under Server-side encryption, I select Do not specify an encryption key. I then select Upload.
Once the article is uploaded to the S3 bucket, I discover that the uploaded object inherits the Server-side encryption settings from the bucket.
Download a DSSE-KMS Encrypted Object from an S3 Bucket
I choose the article that I beforehand uploaded and select Download or select Download as from the Object actions menu. Once the article is downloaded, I open it regionally, and the article is decrypted routinely, requiring no change to shopper purposes.
Now Available
Amazon S3 dual-layer server-side encryption with keys saved in AWS KMS (DSSE-KMS) is accessible immediately in all AWS Regions. You can get began with DSSE-KMS by way of the AWS CLI or AWS Management Console. To be taught extra about all out there encryption choices on Amazon S3, go to the Amazon S3 User Guide. For pricing data on DSSE-KMS, go to the Amazon S3 pricing web page (Storage tab) and the AWS KMS pricing web page.
— Irshad