Ensure that your AWS S3 buckets are configured to use Server-Side Encryption with Customer-Provided Keys (SSE-C) instead of S3-Managed Keys (SSE-S3) in order to obtain a fine-grained control over Amazon S3 data-at-rest encryption and decryption process. Once the server-side encryption is configured to use customer-provided keys by default, Amazon S3 will automatically encrypt any new objects with the specified KMS CMK.
Using Server-Side Encryption with Customer-Provided Keys (SSE-C) allows you to set your own encryption keys, therefore you have full control over who can use these encryption keys to access your Amazon S3 data. AWS Key Management Service (KMS) allows you to easily rotate, disable and audit the Customer Master Keys (CMKs) configured for your Amazon S3 buckets.
To determine the encryption status and configuration for your AWS S3 buckets, perform the following actions:
To encrypt objects using customer-provided AWS KMS CMKs, perform the following:
Case A: To configure your Amazon S3 buckets to encrypt objects with existing customer-provided AWS KMS CMKs, perform the following actions:
Case B: To configure your Amazon S3 buckets to encrypt objects with a new customer-provided AWS KMS CMK, perform the following actions: