If the object is still encrypted when I use Server Side encryption, why am I able to see it when I change from KMS to S3 encryption?

Question

In the KMS lesson, Ryan intially uses KMS encryption and the file is not accessible from the public URL. When he switches it to S3 encryption, he can see it. Why is this? Why doesn’t S3 encryption block access also? What is the point of the S3 encryption option if this is possible?

zhihong guo Answered 1 year ago · Answer 1 · 2020-04-20 03:29:09

zhihong guo

Answered 1 year ago

Both SSE-KMS and SSE-S3 enable data encryption at rest. For SSE-KMS, it requires permissions to both data and master key to 1) access the data and 2) have it decrypted. For SSE-S3, AWS encrypts the data before saving it and decrypt the data when retrieved. I.e., permission to the data will automatically gives you permission to S3 encryption key.

If the object is still encrypted when I use Server Side encryption, why am I able to see it when I change from KMS to S3 encryption?

1 Answers

Newsletter