hands-on lab

Encrypting S3 Objects Using SSE-KMS

Up to 45m
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.


Data security is an important consideration for anyone storing data in the cloud. Encrypting data at rest ensures that anyone gaining access to disks storing your data can only view it in encrypted format making it useless to attackers. There are several encryption at rest mechanisms that are supported by Amazon S3 object data storage. This lab focuses on Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS). This approach gives you control of the master key that generates data keys used by S3  performing encrypt and decrypt operations. 

Lab Objectives

Upon completion of this Lab you will be able to:

  • Understand the benefits of SSE-KMS and when to use it
  • Create customer-managed customer master keys (CMKs) in AWS Key Management Service (KMS)
  • Use SSE-KMS encryption of objects at rest in S3 buckets
  • Enforce that all objects in an S3 bucket are encrypted using SSE-KMS and if desired, requiring a specific CMK for the encryption

Intended Audience

This lab is intended for:

  • Anyone interested in data security in AWS


You should be familiar with:


November 15th, 2023 - Updated the instructions and screenshots to reflect the latest UI

April 25th, 2022 - Updated the instructions and screenshots to reflect the latest UI

February 3rd, 2020 - Added a validation check to test the CMK is created

Environment before

Environment after

About the author

Logan Rakai, opens in a new tab
Lead Content Developer - Labs
Learning paths

Logan has been involved in software development and research since 2007 and has been in the cloud since 2012. He is an AWS Certified DevOps Engineer - Professional, AWS Certified Solutions Architect - Professional, Microsoft Certified Azure Solutions Architect Expert, MCSE: Cloud Platform and Infrastructure, Google Cloud Certified Associate Cloud Engineer, Certified Kubernetes Security Specialist (CKS), Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified OpenStack Administrator (COA). He earned his Ph.D. studying design automation and enjoys all things tech.

LinkedIn, Twitter, GitHub

Covered topics

Lab steps

Logging In to the Amazon Web Services Console
Learning important Key Management Service (KMS) terms
Creating a Customer Master Key (CMK)
Encrypting S3 Data using Server-Side Encryption with KMS Managed Keys (SSE-KMS)
Enforcing S3 Encryption Using Bucket Policies