Data security is one of the most important aspects of cloud computing. While Amazon S3 already provides highly durable storage, encrypting your data ensures that only authorized users and services can access it.
In this hands-on guide, you'll learn how to use AWS Key Management Service (AWS KMS) to encrypt Amazon S3 objects using both the default AWS-managed key and a customer-managed key.
📖 What is AWS Key Management Service (KMS)?
AWS Key Management Service (KMS) is a fully managed service that enables you to create, manage, and control cryptographic keys used to protect your data.
Some of its key features include:
- 🔑 Centralized encryption key management
- 🔒 Hardware Security Modules (HSMs) validated under FIPS 140-2
- 🔄 Integration with most AWS services
- 📜 Audit logging through AWS CloudTrail
- ☁️ Native integration with Amazon S3 for server-side encryption
Using KMS allows organizations to satisfy security, compliance, and regulatory requirements while maintaining full control over encryption keys.
Lab Objective
In this lab, you'll learn how to:
- Create an encrypted Amazon S3 bucket
- Encrypt uploaded files using the default AWS-managed KMS key
- Create a Customer Managed Key (CMK)
- Override bucket encryption settings for specific files
- Verify which KMS key encrypted each object
Part 1: Create an Encrypted Amazon S3 Bucket
- Open the AWS Management Console.
- Navigate to Amazon S3.
- Click Create bucket.
- Enter a unique bucket name.
- Scroll to Default encryption.
- Select:
Server-side encryption with AWS Key Management Service keys (SSE-KMS)
7.Under AWS KMS key, choose:
Choose from your AWS KMS keys
8.Select the AWS-managed key with the description:
aws/s3
9.Click Create bucket.
Your bucket is now configured to automatically encrypt every uploaded object.
Part 2: Upload a File Using the Default AWS-Managed Key
Open the newly created bucket.
Click:
Upload
Then:
- Add a file
- Select the file from your computer
- Upload it
Once the upload completes:
- Open the uploaded object.
- Scroll to Server-side encryption settings.
You'll notice the object has been encrypted using a KMS Master Key ARN associated with the AWS-managed S3 key.
Part 3: Create a Customer Managed KMS Key
Now let's create our own encryption key.
Navigate to:
Services
→ Key Management Service (KMS)
Then:
- Select Customer managed keys
- Click Create key
- Keep all default settings
- Click Next
- Set the Alias as:
my_s3_key
- Continue clicking Next
- Click Finish
Your custom encryption key is now ready.
Part 4: Upload Another File Using the Customer Managed Key
Return to your S3 bucket.
Click:
Upload
Add another file.
Expand:
Properties
Scroll to:
Server-side encryption
Choose:
Specify an encryption key
Then:
Override bucket settings for default encryption
Select:
AWS Key Management Service key (SSE-KMS)
Choose:
my_s3_key
Upload the file.
Part 5: Verify Encryption
Open the newly uploaded object.
Scroll to:
Server-side encryption settings
Notice the KMS Master Key ARN is different from the previous file.
This confirms the object is encrypted using your Customer Managed Key (CMK) rather than the default AWS-managed key.
Understanding the Difference
| AWS Managed Key | Customer Managed Key |
|---|---|
| Created automatically by AWS | Created and managed by you |
| No management overhead | Full administrative control |
| Limited customization | Supports custom IAM policies and permissions |
| Best for simple workloads | Ideal for production environments and compliance |
Important Note
Although bucket-level encryption defines the default encryption behavior, individual objects can override those settings during upload.
This is particularly useful when:
- Different departments require separate encryption keys.
- Certain documents contain highly sensitive information.
- Compliance policies require dedicated customer-managed keys.
Key Takeaways
In this lab, you learned how to:
- ✅ Create an encrypted Amazon S3 bucket
- ✅ Use the default AWS-managed KMS key
- ✅ Create a Customer Managed Key
- ✅ Encrypt individual objects using different KMS keys
- ✅ Verify object encryption using KMS Master Key ARNs
Conclusion
AWS KMS simplifies encryption key management while integrating seamlessly with Amazon S3 and other AWS services. Whether you use AWS-managed keys for simplicity or customer-managed keys for greater control, KMS provides a secure and scalable solution for protecting your data.
Understanding how bucket-level encryption and object-level encryption interact is an essential skill for AWS administrators, cloud engineers, and anyone preparing for AWS certification exams.
Happy learning, and keep building securely! 🚀
Top comments (0)