Pm
When using server-side encryption with AWS KMS-managed key, does it use the same key for every object?
I have seen an exam question in a practice test saying ‘how do I ensure a different key is used?’
The answer is saying server-side encryption with AWS KMS-managed key will do it but I think it will use the same key… ??
I cannot find any reference that states different keys are used – HELP!
1 Answers
Michalkorzawski
check this out https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html "When you use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key."
If the context of the question was S3 bucket replication (cross-region replication), then perhaps the question was referring to the destination bucket’s KMS Key: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-encryptionconfiguration.html.
You are correct that SSE-KMS will use the same KMS Key to encrypt/decrypt all bucket objects, therefore if the question explicitly requires the use of ‘different keys’ for objects in the same bucket, then you’ll be forced to layer client-side encryption on top of the server-side encryption.