Ensure that your Amazon S3 buckets are configured with bucket keys in order to reduce the request costs of Amazon S3 Server-Side Encryption with AWS Key Management Service (SSE-KMS) by up to 99% by decreasing the request traffic from Amazon S3 to KMS, without making any changes to your client applications. By default, S3 Bucket Keys are not enabled.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
optimisation
Amazon S3 service can encrypt and decrypt your S3 objects using AWS KMS-managed keys (SSE-KMS). Applications that access millions or billions of S3 objects encrypted with SSE-KMS can generate large request volumes to AWS Key Management Service. This is because KMS-encrypted objects in S3 use an individual KMS-managed key and S3 makes a call to KMS for each read and write request to these objects. With S3 Bucket Keys feature, instead of using an individual KMS key for each KMS encrypted object, a bucket-level key is generated by AWS Key Management Service. Amazon S3 uses this bucket key to create unique data keys for objects in a bucket, avoiding the need for additional KMS requests to complete encryption operations, and this translates to reduction of request traffic from Amazon S3 to KMS, allowing you to access encrypted objects within your S3 buckets at a fraction of the previous cost.
Note: The S3 Bucket Key feature can be enabled only for Amazon S3 buckets configured with Server-Side Encryption using AWS Key Management Service (SSE-KMS).
Audit
To determine if bucket keys are enabled for your Amazon S3 buckets, perform the following operations:
Remediation / Resolution
To enable bucket keys for your existing Amazon S3 buckets, perform the following operations:
References
- AWS Documentation
- Amazon S3 FAQs
- Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys
- Setting default server-side encryption behavior for Amazon S3 buckets
- What is Amazon S3?
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-bucket-encryption
- put-bucket-encryption
- AWS Announcements
- Amazon S3 Bucket Keys reduce the costs of Server-Side Encryption with AWS Key Management Service (SSE-KMS)
- CloudFormation Documentation
- AWS::S3::Bucket
- Terraform Documentation
- AWS Provider