Certified Security - Specialty

Sign Up Free or Log In to participate!

s3 different encryption keys

When using server-side encryption with AWS KMS-managed key, does it use the same key for every object?

I have seen an exam question in a practice test saying ‘how do I ensure a different key is used?’

The answer is saying server-side encryption with AWS KMS-managed key will do it but I think it will use the same key… ??

I cannot find any reference that states different keys are used – HELP!

Jeffrey Dugas

If the context of the question was S3 bucket replication (cross-region replication), then perhaps the question was referring to the destination bucket’s KMS Key: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-encryptionconfiguration.html.

Jeffrey Dugas

You are correct that SSE-KMS will use the same KMS Key to encrypt/decrypt all bucket objects, therefore if the question explicitly requires the use of ‘different keys’ for objects in the same bucket, then you’ll be forced to layer client-side encryption on top of the server-side encryption.

1 Answers

check this out https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html "When you use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key."

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?