Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Enabling server-side encryption for an Amazon S3 bucket for Amazon Chime SDK media capture pipelines

Focus mode
Enabling server-side encryption for an Amazon S3 bucket for Amazon Chime SDK media capture pipelines - Amazon Chime SDK

To enable server-side encryption for an Amazon Simple Storage Service (Amazon S3) bucket, you can use these types of encryption keys:

  • An Amazon S3 managed key

  • A customer managed key in the AWS Key Management Service (KMS)

    Note

    The Key Management Service supports two types of keys, customer managed keys and AWS managed keys. Amazon Chime SDK meetings only support customer managed keys.

Using an Amazon S3 managed key

You use the Amazon S3 console, CLI, or REST API to enable server-side encryption for an Amazon S3 bucket. In both cases, choose Amazon S3 Key as encryption key type. No further action is needed. When you use the bucket for media capture, the artifacts are uploaded and encrypted on server-side. For more information, refer to Specifying Amazon S3 encryption in the Amazon S3 User Guide.

Using a key that you own

To enable encryption with a key that you manage, you need to enable the Amazon S3 bucket’s server-side encryption with a Customer Managed Key, then add a statement to the key policy that allows Amazon Chime to use the key and encrypt any uploaded artifacts.

  1. Create a Customer Managed Key in KMS. For information about doing so, see Specifying server-side encryption with AWS KMS (SSE-KMS) in the Amazon S3 User Guide.

  2. Add a statement to the key policy that allows the GenerateDataKey action to generate a key for use by the Amazon Chime SDK service principal, mediapipelines.chime.amazonaws.com.

    This example shows a typical statement.

    ... { "Sid": "MediaPipelineSSEKMS", "Effect": "Allow", "Principal": { "Service": "mediapipelines.chime.amazonaws.com" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "Account_Id" }, "ArnLike": { "aws:SourceArn": "arn:aws:chime:*:Account_Id:*" } } } ...
  3. If you use a media concatenation pipeline, add a statement to the key policy that allows the Amazon Chime SDK service principal, mediapipelines.chime.amazonaws.com, to use the kms:Decrypt action.

  4. Configure the Amazon S3 bucket to enable server-side encryption with the key.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.