Using dual-layer server-side encryption with AWS KMS keys (DSSE-KMS)
Using dual-layer server-side encryption with AWS Key Management Service (AWS KMS) keys (DSSE-KMS) applies two layers of encryption to objects when they are uploaded to Amazon S3. DSSE-KMS helps you more easily fulfill compliance standards that require you to apply multilayer encryption to your data and have full control of your encryption keys.
When you use DSSE-KMS with an Amazon S3 bucket, the AWS KMS keys must be in the same Region as the bucket. Also, when DSSE-KMS is requested for the object, the S3 checksum that's part of the object's metadata is stored in encrypted form. For more information about checksums, see Checking object integrity in Amazon S3.
There are additional charges for using DSSE-KMS and AWS KMS keys. For more information
about DSSE-KMS pricing, see AWS KMS key concepts
in the AWS Key Management Service Developer Guide and AWS KMS pricing
Note
S3 Bucket Keys aren't supported for DSSE-KMS.
Requiring dual-layer server-side encryption with AWS KMS keys (DSSE-KMS)
To require dual-layer server-side encryption of all objects in a particular Amazon S3
bucket, you can use a bucket policy. For example, the following bucket policy denies the
upload object (s3:PutObject) permission to everyone if the request does not
include an x-amz-server-side-encryption header that requests server-side
encryption with DSSE-KMS.
{ "Version":"2012-10-17", "Id":"PutObjectPolicy", "Statement":[{ "Sid":"DenyUnEncryptedObjectUploads", "Effect":"Deny", "Principal":"*", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::amzn-s3-demo-bucket/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption":"aws:kms:dsse" } } } ] }
