Posted On: Jun 19, 2023

Customers can now apply two independent layers of server-side encryption to objects in Amazon S3. Dual-layer server-side encryption with keys stored in the Amazon Key Management Service (DSSE-KMS) is designed to meet CNSSP 15 and Data-at-Rest Capability Package (DAR CP) Version 5.0 guidance for two layers of encryption. As of the publish date of this post, S3 is the only cloud object storage service where customers can apply two layers of encryption at the object level and control the data keys used for both layers. Amazon S3 features such as DSSE-KMS are vetted and accepted for use on top-secret workloads, which benefits all customers.

DSSE-KMS simplifies the process of applying two layers of encryption to your data, without having to invest in infrastructure required for client-side encryption. Each layer of encryption uses a different implementation of the 256-bit Advanced Encryption Standard with Galois Counter Mode (AES-GCM) algorithm. DSSE-KMS uses the Amazon Key Management Service (KMS) to generate data keys, allowing customers to control their customer managed keys by setting permissions per key and specifying key rotation schedules. With DSSE-KMS, customers can now query and analyze their dual encrypted data with Amazon Web Services services such as Amazon Athena, Amazon SageMaker, and more.

DSSE-KMS is available at an additional cost in all Amazon Web Services Regions, including the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. For pricing information, visit the Amazon S3 and Amazon KMS pricing pages. To learn more about all available encryption options on Amazon S3, visit the S3 User Guide.