1

As per the documentation:

Amazon S3 Bucket Keys reduce the cost of Amazon S3 server-side encryption using AWS Key Management Service (SSE-KMS). This new bucket-level key for SSE can reduce AWS KMS request costs by up to 99 percent by decreasing the request traffic from Amazon S3 to AWS KMS. With a few clicks in the AWS Management Console, and without any changes to your client applications, you can configure your bucket to use an S3 Bucket Key for AWS KMS-based encryption on new objects.

The documentation notes a couple scenarios to be aware of before enabling the feature, but doesn't list any reasons why you overall would disable it... so why is it even an option?

I can't think of any use-case where a user would want this disabled (if they are already using KMS). Any ideas?

enter image description here

Improve this question
4
  • What is the use case for Amazon KMS in the first place? ;) Commented Aug 30, 2022 at 22:34
  • 2
    Other than what the docs list, the only reason I can think of is possibly compliance with some security standards that require per-object encryption keys. IMHO KMS is more for compliance than security. Commented Aug 30, 2022 at 22:38
  • @anx Same level of encryption, but it's about who holds custody of the private key. Using KMS you are using an "AWS managed key" meaning they private key is associated with YOUR account. When you don't use KMS and just use default it uses the "AWS owned key" in which the private key is owned and held by Amazon. See "Customer keys and AWS keys" in docs.aws.amazon.com/kms/latest/developerguide/concepts.html Commented Sep 1, 2022 at 16:07
  • 1
    @Tim Yea, compliance sounds right. As you mentioned this bucket key option really just comes down to "per object" or "whole bucket" encryption scheme. Just couldn't think of a use-case on why you would need per-object.... but corpo compliance seems like a fitting reason. Commented Sep 1, 2022 at 16:14

1 Answer 1

Reset to default
-1

This bucket key is under control of AWS. The AWS customer using the S3 bucket cannot control when the key is rotated or disabled, among other things. It is indeed very convenient for AWS to manage all the key-related activities without the customer needing to worry about them, and AWS uses very strong keys.

An organization's Information Security (InfoSec) team may require all encryption to be performed by keys under the control of the organization. An AWS-controlled key may not be good enough. In this situation, the InfoSec team may dictate that customer-managed keys must be used, ruling out the type of key you are asking about.

Improve this answer
1
  • 1
    It's using an AWS managed key regardless of if this option is enabled or disabled. See the screenshot in the original post just above the circled option: "AWS managed key" is chosen regardless of the "bucket key" option selection. Commented Sep 1, 2022 at 16:04

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.