Amazon S3 has recently added support for two independent layers of server-side encryption with AWS KMS (DSSE-KMS) for top-secret workloads. With this launch, Amazon S3 is the only cloud object storage service that supports multi layers of server-side encryption at object level.
"DSSE-KMS is designed to meet National Security Agency CNSSP 15 for FIPS compliance and Data-at-Rest Capability Package (DAR CP) Version 5.0 guidance for two layers of CNSA encryption." -- AWS News Blog
Each layer of encryption uses a different implementation of 256-bit Advanced Encryption Standard with Galois Counter Mode (AES-GCM) algorithm with individual data encryption key.
It uses AWS Key Management Service (AWS KMS) for generating data key. So, you have full control on the KMS key permission settings and rotation schedules using AWS Key Management Service (KMS).
Video Tutorial & Demo:
Usecase:
It is great for appllications that require
- rigorous security standards
- regulatory compliance for data security
- top-secret workloads such as National Security Systems or US Department of Defense (DoD) customers
For protecting data at rest in Amazon S3, we have now 4 different options for Server-side encryption
- Server-side encryption with Amazon S3 managed keys (SSE-S3)
- Server-side encryption with AWS KMS (SSE-KMS)dual-layer
- Server-side encryption with AWS KMS keys (DSSE-KMS)
- Server-side encryption with customer-provided keys (SSE-C)
DSSE-KMS can be used using Amazon S3 console, Amazon S3 REST API, and the AWS Command Line Interface (AWS CLI).
If it is specified at S3 bucket level, then encryption will be applied on all new objects by default.
For REST API, following headers need to be passed with PUT or COPY request x-amz-server-side-encryption: aws:kms:dsse
and x-amz-server-side-encryption-aws-kms-key-id: <key-id>
. If KMS key ARN is not passed then, AWS managed key (aws/s3) will be used by default.
In AWS CLI, to create an object pass following options --server-side-encryption aws:kms:dsse
and --ssekms-key-id <key-id>
. If
is not provided then AWS managed key (aws/s3) will be used.--ssekms-key-id
aws s3api put-object --bucket <bucket> --key <object-key> --server-side-encryption aws:kms:dsse --ssekms-key-id <key-id> --body filepath
To enforce dual-layer encryption, IAM and Bucket policies can be used.
Sample Bucket Policy:
{
"Version": "2012-10-17",
"Id": "PutObjectPolicy",
"Statement": [
{
"Sid": "DenyObjectUploadsWithoutDSSE",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<my-bucket>/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms:dsse"
}
}
}
]
}