Source URL: https://aws.amazon.com/blogs/aws/amazon-s3-express-one-zone-now-supports-aws-kms-with-customer-managed-keys/
Source: AWS News Blog
Title: Amazon S3 Express One Zone now supports AWS KMS with customer managed keys
Feedly Summary: Secure your mission-critical data with S3 Express One Zone’s server-side encryption using KMS keys, combining top-notch performance and robust security for regulatory compliance.
AI Summary and Description: Yes
Summary: The text discusses the new server-side encryption capability for Amazon S3 Express One Zone, which now supports AWS Key Management Service (KMS) keys. This feature enhances security for data stored in a high-performance storage class while meeting compliance and regulatory requirements.
Detailed Description:
The introduction of server-side encryption with AWS KMS for Amazon S3 Express One Zone provides an additional layer of security for users managing their data. This capability is particularly significant for security and compliance professionals who need to safeguard sensitive information stored in cloud environments.
Key Points:
– **Encryption Capability**:
– Amazon S3 Express One Zone can now utilize AWS KMS customer managed keys (SSE-KMS) for encrypting stored data at rest.
– Previously, S3 Express One Zone used Amazon S3 managed keys (SSE-S3) for encryption by default.
– This enhancement allows for more granular control over encryption keys, aiding in compliance with regulatory frameworks.
– **Performance and Costs**:
– The implementation of SSE-KMS does not compromise performance, ensuring users still experience low-latency access to frequently needed data.
– Additionally, S3 Bucket Keys are enabled to reduce the number of requests to AWS KMS by up to 99%, which benefits both performance and operation costs.
– **Operational Requirements**:
– Users must have an IAM role or user with specific policies that allow for KMS operations such as Decrypt and GenerateDataKey.
– S3 directory buckets are limited to one customer managed key per bucket, contrasting with general-purpose buckets which can utilize multiple KMS keys.
– **Security Testing**:
– The text provides a demonstration of using AWS CLI to upload and download data with proper permissions, showcasing the importance of correctly assigned IAM roles in accessing encrypted data.
– An attempted access with insufficient permissions resulted in an AccessDenied error, illustrating the effective functioning of the encryption feature.
– **Compliance and Audit**:
– This new functionality allows organizations to better meet compliance and governance requirements, with the support for AWS CloudTrail enabling audit logs for SSE-KMS actions on S3 objects.
– **Startup Steps**:
– Users can set up SSE-KMS for S3 Express One Zone via the AWS console, CLI, or SDKs, facilitating various entry points for implementation.
– It is emphasized that while the service is available across all supported AWS regions, the specifics of compliance checks and performance enhancements are crucial considerations for organizations aiming to enhance their security posture in the cloud.
In conclusion, the introduction of AWS KMS for Amazon S3 Express One Zone represents a noteworthy development in cloud-based data security, crucial for organizations looking to fortify their compliance capabilities and optimize costs.