SSE-KMS: Amazon S3-KMS Managed Encryption Keys
Amazon offers a pay-per-use key management service, AWS KMS. This service can be used to encrypt data on S3 using keys which can be centrally managed and assigned to specific roles and IAM accounts.
The AWS KMS can be used by S3 to encrypt uploaded data. When uploading data encrypted with SSE-KMS, the named key that was used to encrypt the data is retrieved from the KMS service, and used to encode the per-object secret which encrypts the uploaded data. To decode the data, the same key must be retrieved from KMS and used to unencrypt the per-object secret key, which is then used to decode the actual file.
KMS keys can be managed by an organization's administrators in AWS, including having access permissions assigned and removed from specific users, groups, and IAM roles. Only those "principals" with granted rights to a key may access it, hence only they may encrypt data with the key, and decrypt data encrypted with it. This allows KMS to be used to provide a cryptographically secure access control mechanism for data stores on S3.
Note | |
---|---|
AWS KMS service is not related to the Key Management Service built into Hadoop (Hadoop KMS). The Hadoop KMS primarily focuses on managing keys for HDFS Transparent Encryption. Similarly, HDFS encryption is unrelated to S3 data encryption. |
Enabling SSE-KMS
To enable SSE-KMS, the property fs.s3a.server-side-encryption-algorithm
must be set to SSE-KMS
in core-site.xml
:
<property> <name>fs.s3a.server-side-encryption-algorithm</name> <value>SSE-KMS</value> </property>
The ID of the specific key used to encrypt the data should also be set in the
property fs.s3a.server-side-encryption.key
:
<property> <name>fs.s3a.server-side-encryption.key</name> <value>arn:aws:kms:us-west-2:360379543683:key/071a86ff-8881-4ba0-9230-95af6d01ca01</value> </property>
If your account is set up set up with a default KMS key and
fs.s3a.server-side-encryption.key
is unset, the default key will be
used.
Alternatively, organizations may define a default key in the Amazon KMS; if a
default key is set, then it will be used whenever SSE-KMS encryption is chosen and the
value of fs.s3a.server-side-encryption.key
is empty.
Note | |
---|---|
AWS Key Management Service (KMS) is pay-per-use, working with data encrypted via KMS keys incurs extra charges during data I/O. |
To learn more, refer to Protecting Data Using Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) in AWS documentation.