Amazon S3 (Simple Storage Service) is a highly scalable and secure cloud storage service provided by Amazon Web Services (AWS). It offers object storage for storing and retrieving large amounts of data, such as documents, images, videos, backups, logs, and application data. Amazon S3 offers robust security features to protect your data. It allows you to manage access control at the bucket and object level using AWS Identity and Access Management (IAM) policies. You can also enable server-side encryption to encrypt your data at rest. Now AWS has launched Amazon S3 dual-layer server-side encryption with keys stored in AWS key management system (KMS).

Dual-layer server-side encryption

Amazon S3 dual-layer server-side encryption is a new option that applies two layers of encryption to the objects when they are uploaded. KMS is the abbreviation of this new encryption option. It is designed to meet National Security Agency CNSSP 15 for FIPS compliance, and Data-at-Rest Capability Package (DAR CP) version 5 is guidance for two layers of CNSA encryption. With the help of DSSE-KMS, you can fulfill regulatory requirements to apply multiple layers of encryption to your data.

With DSSE-KMS, Amazon S3 now offers four options for server-side encryption.

  1. Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3): In SSE-S3, Amazon S3 manages the encryption keys for you. When you upload an object to S3, Amazon S3 automatically encrypts the data at the object level using a unique key. The encryption key itself is further protected using encryption at rest. This ensures data encryption before it is written to disk on the underlying storage infrastructure.
  2. Server-Side Encryption with AWS Key Management Service (SSE-KMS): SSE-KMS allows you to use the AWS Key Management Service (KMS) to manage the encryption keys used by Amazon S3. With this approach, you can have more granular control over key management, including key rotation, audit trails, and integration with other AWS services. When you enable SSE-KMS, S3 uses a KMS customer master key (CMK) to encrypt the data at rest.
  3. Server-side encryption with customer-provided encryption keys (SSE-C): With SSE-C, you can provide your encryption keys to encrypt and decrypt data stored in S3, and you will have full control over the encryption process and the keys used to secure your data. Compared to SSE-S3 and SSE-KMS, SSE-C provides a higher level of control over encryption keys but also places more responsibility on you for key management.
  4. Dual-layer server-side encryption with keys stored in KMS (DSSE-KMS): DSSE-KMS combines server-side encryption with SSE-S3 and SSE-KMS. In DSSE-KMS, the data is encrypted twice, once with SSE-S3 and then with SSE-KMS using a customer master key (CMK) managed by AWS KMS. Using DSSE-KMS provides enhanced security for your data stored in S3. The encryption keys are managed by AWS KMS, offering advanced key management features such as key rotation, auditing, and integration with other AWS services.

Working of DSSE-KMS

Step 1. Open Amazone S3 Console.

Step 2. Go to the navigation pane and select Bucket.

Step 3. Click on Create Bucket and give a unique name. Now the Default encryption section will appear.

Amazon S3

Step 4. Choose Dual-layer server-side encryption with AWS Key Management Service keys (DSSE-KMS) as the Encryption type.

Step 5. Select Choose from your AWS KMS keys as AWS KMS key.

Step 6. Click on Create Bucket.

Step 7. In the Buckets list, choose the name of the bucket you want to upload an object to.

Step 8. Click Upload on the Object tab.

Step 9. Go to Files and Folders and select Add Files.

Step 10. Select the file to upload and click on Open.

aws services

Step 11. In the Server-side encryption section, select Do not specify an encryption key.

Step 12. Click on Upload.

Step 13. Select the previously uploaded object and choose Download or choose Download as from the Object actions menu.

Once the object is downloaded, open it locally, and the object will be decrypted automatically, without change in client applications.

Conclusion

Dual-layer server-side encryption in Amazon S3 provides an extra layer of security for data stored in S3 buckets. The data is protected both at the object level and through the encryption of the underlying encryption key. By implementing DSSE-KMS, organizations benefit from the advanced key management capabilities offered by AWS KMS, including key rotation, auditing, and integration with other AWS services.

We help your organization get strong encryption and key management capabilities for the data stored in Amazon S3.