Using dual-layer server-side encryption with AWS KMS keys (DSSE-KMS) - Amazon Simple Storage Service

Using dual-layer server-side encryption with AWS KMS keys (DSSE-KMS)

Using dual-layer server-side encryption with AWS Key Management Service (AWS KMS) keys (DSSE-KMS) applies two layers of encryption to objects when they are uploaded to Amazon S3. DSSE-KMS helps you more easily fulfill compliance standards that require you to apply multilayer encryption to your data and have full control of your encryption keys.

The "dual" in DSSE-KMS refers to two independent layers of AES-256 encryption that are applied to your data:

  • First layer: Your data is encrypted using a unique data encryption key (DEK) generated by AWS KMS

  • Second layer: The already-encrypted data is encrypted again using a separate AES-256 encryption key managed by Amazon S3

This differs from standard SSE-KMS, which applies only a single layer of encryption. The dual-layer approach provides enhanced security by ensuring that even if one encryption layer were compromised, your data would remain protected by the second layer. This additional security comes with increased processing overhead and AWS KMS API calls, which accounts for the higher cost compared to standard SSE-KMS.

AWS KMS API calls, which accounts for the higher cost compared to standard SSE-KMS.

API calls, which accounts for the higher cost compared to standard SSE-KMS.

When you use DSSE-KMS with an Amazon S3 bucket, the AWS KMS keys must be in the same Region as the bucket. Also, when DSSE-KMS is requested for the object, the S3 checksum that's part of the object's metadata is stored in encrypted form. For more information about checksums, see Checking object integrity in Amazon S3.

There are additional charges for using DSSE-KMS compared to standard SSE-KMS due to the increased computational overhead of applying two layers of encryption and additional AWS KMS API calls required for the dual encryption process. For more information about DSSE-KMS pricing, see AWS KMS key concepts in the AWS Key Management Service Developer Guide and AWS KMS pricing.

Note

S3 Bucket Keys aren't supported for DSSE-KMS.

DSSE-KMS vs. standard SSE-KMS

The key differences between DSSE-KMS and standard SSE-KMS are:

  • Encryption layers: DSSE-KMS applies two independent layers of AES-256 encryption, while standard SSE-KMS applies one layer

  • Security: DSSE-KMS provides enhanced protection against potential encryption vulnerabilities

  • Compliance: DSSE-KMS helps meet regulatory requirements that mandate multilayer encryption

  • Performance: DSSE-KMS has slightly higher latency due to additional encryption processing

  • Cost: DSSE-KMS incurs higher charges due to increased computational overhead and additional AWS KMS operations

Requiring dual-layer server-side encryption with AWS KMS keys (DSSE-KMS)

To require dual-layer server-side encryption of all objects in a particular Amazon S3 bucket, you can use a bucket policy. For example, the following bucket policy denies the upload object (s3:PutObject) permission to everyone if the request does not include an x-amz-server-side-encryption header that requests server-side encryption with DSSE-KMS.

JSON
{
             "Version":"2012-10-17",		 	 	 
             "Id": "PutObjectPolicy",
             "Statement": [{
                   "Sid": "DenyUnEncryptedObjectUploads",
                   "Effect": "Deny",
                   "Principal": {
                       "AWS": "arn:aws:iam::111122223333:root"
                   },
                   "Action": "s3:PutObject",
                   "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*",
                   "Condition": {
                      "StringNotEquals": {
                         "s3:x-amz-server-side-encryption": "aws:kms:dsse"
                      }
                   }
                }
             ]
          }
Topics