sect2249
I enabled S3 encryption on two objects. However, the "aws/s3" managed keys are not appearing in the Encryption Keys section within the IAM console.
2 Answers
T.J.
Hi there,
Remember, KMS is a region service, like S3. If you don’t have a bucket in a region with encryption enabled, in the region that your viewing in KMS, then you won’t see the aws/s3 key. I haven’t used the Stockholm region yet, and KMS is completely empty for me there.
T.J.
Hi there,
See Protecting Data Using Server-Side Encryption. SSE-S3 uses the AES-256, which is managed by S3. SSE-KMS is the KMS managed key you’re looking for.
Hi T.J., Thanks for your quick response. Both my bucket and KMS region are US East. I enabled SSE-S3 encryption on a single bucket object, and was expecting to see the key in KMS due to the fact that both S3 and KMS are in US East region. I am still not seeing the key listed in KMS as aws/s3 managed.
So i figured out that i have to select "AES-KMS", then select "aws/s3" inorder to see the aws managed key in the IAM console. Why doesnt an aws managed key appear in the IAM console when you select "AES-256"? Is it because S3 is managing the S3 key rather than IAM managing the S3 key?