Posted On: Dec 2, 2020

Amazon S3 Bucket Keys reduce the request costs of Amazon S3 server-side encryption (SSE) with AWS Key Management Service (KMS) by up to 99% by decreasing the request traffic from S3 to KMS. With a few clicks in AWS Management Console and no changes to your client applications, you can configure your buckets to use an S3 Bucket Key for KMS-based encryption on new objects. 

Workloads that access millions or billions of objects encrypted with SSE-KMS can generate large request volumes to KMS. This is because KMS-encrypted objects in S3 use an individual KMS key and S3 makes a call to KMS for each read and write request to these objects. With S3 Bucket Keys, instead of an individual KMS key for each KMS encrypted object, a bucket-level key is generated by KMS. S3 uses this bucket key to create unique data keys for objects in a bucket, avoiding the need for additional KMS requests to complete encryption operations. This results in reduction of request traffic from S3 to KMS, allowing you to access encrypted objects in S3 at a fraction of the previous cost. S3 Bucket Keys can be configured through the S3 Management Console, SDK, or API. You will also have the option to override the S3 Bucket Key configuration for specific objects in a bucket with an individual per-object KMS key using the API and SDK. 

Amazon S3 Bucket Keys are available at no additional cost in all AWS Regions, including the AWS China (Beijing) Region, operated by Sinnet, and the AWS China (Ningxia) Region, operated by NWCD. To learn more about S3 Bucket Keys, visit the server-side encryption documentation