S3 Bucket Encryptions - KMS vs AES256

17
votes

When I SSE-S3 encrypt the bucket (objects) with AES256 and make it public. The contents of the bucket are visible. However, this is not the case with AWS KMS which throws the following error:

Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

How is the end-user able to view the object in AES256 encrypted?

Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) – Each object is encrypted with a unique key employing strong multi-factor encryption. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.

According to this, my understanding is, if an object is encrypted it requires the decryption keys or in AWS world access to the key that is decrypting it. Please explain how AES256 is different from KMS. (Other than key policies provided by AWS on KMS)

1
amazon-web-servicesencryptionamazon-s3

1 Answers

28
votes

Server-Side Encryption in S3 is always AES256, whether you are using SSE-S3 or SSE-KMS.

In both cases, S3 uses a key to transparently encrypt the object for storage and decrypt the object on request. The user accessing the object does not see the encrypted object in either case.

With SSE-S3, S3 owns and controls the keys, so permission to upload or download includes implicit permission for S3 to access the keys that it needs in order to access the object.

The level of encryption is the same whether you use SSE-S3 or SSE-KMS, but SSE-KMS imposes more stringent security constraints on accessing the objects, including mandatory use of HTTPS and Signature Version 4.