Posted On: Feb 19, 2021

Amazon Config now supports the ability to use an Amazon Key Management Service (KMS) key or alias Amazon Resource Name (ARN) that you provide, to encrypt the data delivered to your Amazon Simple Storage Service (S3) bucket. By default, Amazon Config delivers configuration history and snapshot files to your S3 bucket and encrypts the data at rest using S3 AES-256 server-side encryption, SSE-S3. With this release, if you provide Amazon Config with your KMS key or alias ARN, Amazon Config will use that KMS key instead of using AES-256 encryption.

To get started, create a KMS key and configure it with the permission to GenerateDataKey and Decrypt. You can then provide the KMS key to Amazon Config by calling the PutDeliveryChannel API with your S3 KMS key, ARN, or alias ARN. The objects delivered to the S3 bucket will be encrypted using server-side encryption with KMS CMKs. If you do not provide Amazon Config with a KMS key or alias ARN, then Amazon Config will default to encrypting the delivered data with AES-256 encryption.

Support for KMS encryption on S3 buckets used by Amazon Config is available at no additional cost in Amazon Web Services China (Beijing) Region, operated by Sinnet and Amazon Web Services China (Ningxia) Region, operated by NWCD. For more information about Amazon Config, see the Amazon Config webpage. For more information about Amazon Key Management Service (Amazon KMS), see the Amazon Key Management Service (KMS) webpage.