SSE-KMS requires that AWS manage the data key but you manage the customer master key (CMK) in AWS KMS.
Amazon S3 supports only symmetric CMKs. You cannot use an asymmetric CMK to encrypt your data in Amazon S3.
SSE-KMS Encryption
- Amazon S3 requests a plaintext data key and a copy of the key encrypted under the specified CMK.
- AWS KMS generates a data key, encrypts it under the CMK, and sends both the plaintext data key and the encrypted data key to Amazon S3.
- Amazon S3 encrypts the data using the data key and removes the plaintext key from memory as soon as possible after use.
- Amazon S3 stores the encrypted data key as metadata with the encrypted data.
SSE-KMS Decryption
Amazon S3 and AWS KMS perform the following actions when you request that your data be decrypted.
- Amazon S3 sends the encrypted data key to AWS KMS.
- AWS KMS decrypts the key by using the same CMK and returns the plaintext data key to Amazon S3.
- Amazon S3 decrypts the ciphertext and removes the plaintext data key from memory as soon as possible.