Specifying the AWS Key Management Service in Amazon S3 Using the AWS SDKs

When using AWS SDKs, you can request Amazon S3 to use AWS Key Management Service (AWS KMS) customer master keys (CMKs). This section provides examples of using the AWS SDKs for Java and .NET. For information about other SDKs, go to Sample Code and Libraries.

Important
When you use an AWS KMS CMK for server-side encryption in Amazon S3, you must choose a symmetric CMK. Amazon S3 only supports symmetric CMKs and not asymmetric CMKs. For more information, see Using Symmetric and Asymmetric Keys in the AWS Key Management Service Developer Guide.

AWS SDK for Java

This section explains various Amazon S3 operations using the AWS SDK for Java and how you use the AWS KMS CMKs.

Put Operation

When uploading an object using the AWS SDK for Java, you can request Amazon S3 to use an AWS KMS CMK by adding the SSEAwsKeyManagementParams property as shown in the following request.

PutObjectRequest putRequest = new PutObjectRequest(bucketName,

keyName, file).withSSEAwsKeyManagementParams(new SSEAwsKeyManagementParams());

In this case, Amazon S3 uses the AWS managed CMK (see Using Server-Side Encryption with CMKs Stored in AWS KMS ). You can optionally create a symmetric customer managed CMK and specify that in the request.

PutObjectRequest putRequest = new PutObjectRequest(bucketName,

keyName, file).withSSEAwsKeyManagementParams(new SSEAwsKeyManagementParams(keyID));

For more information about creating customer managed CMKs, see Programming the AWS KMS API in the AWS Key Management Service Developer Guide.

For working code examples of uploading an object, see the following topics. You will need to update those code examples and provide encryption information as shown in the preceding code fragment.

• For uploading an object in a single operation, see Upload an Object Using the AWS SDK for Java.
• For a multipart upload, see the following topics:
  • Using high-level multipart upload API, see Upload a File.
  • If you are using the low-level multipart upload API, see Upload a File.

Copy Operation

When copying objects, you add the same request properties (ServerSideEncryptionMethod and ServerSideEncryptionKeyManagementServiceKeyId) to request Amazon S3 to use an AWS KMS CMK. For more information about copying objects, see Copying Objects.

Presigned URLs

When creating a presigned URL for an object encrypted using an AWS KMS CMK, you must explicitly specify Signature Version 4.

ClientConfiguration clientConfiguration = new ClientConfiguration();

clientConfiguration.setSignerOverride("AWSS3V4SignerType");

AmazonS3Client s3client = new AmazonS3Client(

new ProfileCredentialsProvider(), clientConfiguration);

...

For a code example, see Generate a presigned Object URL Using the AWS SDK for Java.

AWS SDK for .NET

This section explains various Amazon S3 operations using the AWS SDK for .NET and how you use the AWS KMS CMKs.

Put Operation

When uploading an object using the AWS SDK for .NET, you can request Amazon S3 to use an AWS KMS CMK by adding the ServerSideEncryptionMethod property as shown in the following request.

PutObjectRequest putRequest = new PutObjectRequest

{

BucketName = bucketName,

Key = keyName,

// other properties.

ServerSideEncryptionMethod = ServerSideEncryptionMethod.AWSKMS

};

In this case, Amazon S3 uses the AWS managed CMK. For more information, see Protecting Data Using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS). You can optionally create your own symmetric customer managed CMK and specify that in the request.

PutObjectRequest putRequest1 = new PutObjectRequest

{

BucketName = bucketName,

Key = keyName,

// other properties.

ServerSideEncryptionMethod = ServerSideEncryptionMethod.AWSKMS,

ServerSideEncryptionKeyManagementServiceKeyId = keyId

};

For more information about creating customer managed CMKs, see Programming the AWS KMS API in the AWS Key Management Service Developer Guide.

For working code examples of uploading an object, see the following topics. You will need to update these code examples and provide encryption information as shown in the preceding code fragment.

• For uploading an object in a single operation, see Upload an Object Using the AWS SDK for .NET.
• For multipart upload see the following topics:
  • Using high-level multipart upload API, see Upload a File to an S3 Bucket Using the AWS SDK for .NET (High-Level API).
  • Using low-level multipart upload API, see Upload a File to an S3 Bucket Using the AWS SDK for .NET (Low-Level API).

Copy Operation

When copying objects, you add the same request properties (ServerSideEncryptionMethod and ServerSideEncryptionKeyManagementServiceKeyId) to request Amazon S3 to use an AWS KMS CMK. For more information about copying objects, see Copying Objects.

Presigned URLs

When creating a presigned URL for an object encrypted using an AWS KMS CMK, you must explicitly specify Signature Version 4.

AWSConfigs.S3Config.UseSignatureVersion4 = true;

For a code example, see Generate a Presigned Object URL Using AWS SDK for .NET.