Encryption @ S3

Encryption @ S3

Subscribe to my newsletter and never miss my upcoming articles

S3 - Encryption at rest

In Previous Post we have seen intro on encryption and KMS intro.

In this post let's see how to encrypt data at rest in S3 using KMS

Encryption in S3 can be enabled in 2 level

Level 1: Object-level

While uploading the object / in the existing object you can modify encryption setting


In above S3 Key is service provided by S3 where the encryption key generated and lies within S3 user have no access to it.


As the next option, you can use KMS.

Level 2: Bucket level

You can setup bucket level default encryption so even if nothing specified on uploading the object the bucket level encryption setting is applied as default

Under Properties in an S3 bucket


Enable default encryption



In both levels, you could see two types of KMS


AWS Managed -> AWS will create a KMS key and manages it user won't have delete access but only read access

Customer Managed -> This is created by the user, in general, we create symmetric type KMS key and get it mapped

You call also map KMS key from another account using key ARN but ensure to update key policy to allow calls from the cross-account for encryption.

Hope you find this useful. Give 👍 for more posts from us. We also run a youtube channel TechPechu in Tamil( Indian regional Language) do subscribe as moral support! 😀

Share this