Encrypting S3 Data using Server-Side Encryption with KMS Managed Keys (SSE-KMS)

Lab Steps

Logging in to the Amazon Web Services Console
Learning important Key Management Service (KMS) terms
Creating a Customer Master Key (CMK)
Encrypting S3 Data using Server-Side Encryption with KMS Managed Keys (SSE-KMS)
Enforcing S3 Encryption Using Bucket Policies
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.


With your own CMK created and enabled, you are now able to use it for server-side encryption of data in S3 in the same region as the CMK. This is referred to as server-side encryption with customer master keys (CMKs) stored in AWS Key Management Service, or more simply, SSE-KMS. In SSE-KMS, the CMK generates data keys that S3 uses to encrypt objects. Not only do users need to have access to the S3 bucket and object with SSE-KMS, users must also have permission to use the CMK. In comparison to the other server-side encryption option for S3, server-side encryption with Amazon S3-managed keys (SSE-S3), the user only needs permission to access the object and does not require separate permission to use S3's underlying key. SSE-KMS provides a higher degree of control, although it requires additional charges for the key and for performing operations with the key. SSE-KMS also provides an additional audit trail showing when the CMK was used and by who.

If you do not create your own CMK, S3 can still use an AWS managed KMS CMK that is created by default in your account in the S3 bucket's region. This key is visible in the KMS console under AWS Managed Keys and is named aws/s3. However, because the key is managed by AWS you don't have the same degree of access control over key as you do with a customer managed key.

You will upload a file and encrypt it using SSE-KMS in this lab step.



1. In the AWS Management Console search bar, enter S3, and click the S3 result under Services:



2. Click the name of the bucket the Cloud Academy lab environment created for you (name begins with cloudacademylabs-ssekms):



3. Click Upload.


4. Click Add files and select a small file, or download this sample file and select it.



5. Expand the Properties tab and scroll until the Server-side encryption settings.



6. Check the Specify an encryption key checkbox. 


7. Check the AWS Key Management Service key (SSE-KMS) checkbox and then the Choose from your AWS KMS keys checkbox:



8. Choose the AWS KMS key you previously generated:



9. Click on Upload.


10. Click Close and then click the name of the object to open its properties panel: 


You can verify the object is encrypted using SSE-KMS by checking that the Encryption field is AWS-KMS.



In this lab step, you Encrypted an object in S3 using SSE-KMS. You can also configure SSE-KMS as the default encryption property for all uploaded objects by configuring bucket properties. However, that will not enforce that all objects use SSE-KMS because it can be overridden with each request. You will see how to enforce SSE-KMS encryption in the next lab step.

Validation checks
SSE-KMS Encrypted File Exists in S3

Checks if an object in the S3 bucket has been encrypted with SSE-KMS

Encryption for AWSAmazon S3