Encryption @ S3
S3 - Encryption at rest
In Previous Post we have seen intro on encryption and KMS intro.
In this post let's see how to encrypt data at rest in S3 using KMS
Encryption in S3 can be enabled in 2 level
Level 1: Object-level
While uploading the object / in the existing object you can modify encryption setting
In above S3 Key is service provided by S3 where the encryption key generated and lies within S3 user have no access to it.
As the next option, you can use KMS.
Level 2: Bucket level
You can setup bucket level default encryption so even if nothing specified on uploading the object the bucket level encryption setting is applied as default
Under Properties in an S3 bucket
Enable default encryption
In both levels, you could see two types of KMS
AWS Managed -> AWS will create a KMS key and manages it user won't have delete access but only read access
Customer Managed -> This is created by the user, in general, we create symmetric type KMS key and get it mapped
You call also map KMS key from another account using key ARN but ensure to update key policy to allow calls from the cross-account for encryption.
Hope you find this useful. Give 👍 for more posts from us. We also run a youtube channel TechPechu in Tamil( Indian regional Language) do subscribe as moral support! 😀