Posted On: Jul 23, 2019

Customers in AWS China (Beijing) region operated by Sinnet and AWS China (Ningxia) region operated by NWCD can now use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) to encrypt their data at rest in Amazon S3. 

With Server-Side Encryption, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. SSE-KMS is one among three mutually exclusive options available to you depending on how you choose to manage the encryption keys.  

With SSE-KMS, each object is encrypted with a unique key. There are separate permissions for the use of an envelope key (that is, a key that protects your data's encryption key) that provides added protection against unauthorized access of your objects in Amazon S3. SSE-KMS also provides you with an audit trail of when your key was used and by whom. Additionally, you have the option to create and manage encryption keys yourself, or use a default key that is unique to you, the service you're using, and the Region you're working in. 

For more information, see Protecting Data Using Server-Side Encryption with AWS KMS–Managed Keys (SSE-KMS) in the Amazon S3 Developer Guide. For more information on AWS KMS, see What is AWS Key Management Service? in the AWS Key Management Service Developer Guide. There are additional charges for using AWS KMS keys. For more information, see AWS Key Management Service Pricing.