AWS AmazonS3 documentation change
Summary
Expanded explanation of DSSE-KMS dual-layer encryption architecture and comparison with SSE-KMS
Security assessment
The changes explicitly document security features of dual-layer encryption, emphasizing enhanced protection against encryption layer compromise. This qualifies as security documentation but does not indicate a specific security issue being addressed.
Diff
diff --git a/AmazonS3/latest/userguide/UsingDSSEncryption.md b/AmazonS3/latest/userguide/UsingDSSEncryption.md index 0d59b5e69..3033265d5 100644 --- a//AmazonS3/latest/userguide/UsingDSSEncryption.md +++ b//AmazonS3/latest/userguide/UsingDSSEncryption.md @@ -8,0 +9,15 @@ Using dual-layer server-side encryption with AWS Key Management Service (AWS KMS +The "dual" in DSSE-KMS refers to two independent layers of AES-256 encryption that are applied to your data: + + * _First layer:_ Your data is encrypted using a unique data encryption key (DEK) generated by AWS KMS + + * _Second layer:_ The already-encrypted data is encrypted again using a separate AES-256 encryption key managed by Amazon S3 + + + + +This differs from standard SSE-KMS, which applies only a single layer of encryption. The dual-layer approach provides enhanced security by ensuring that even if one encryption layer were compromised, your data would remain protected by the second layer. This additional security comes with increased processing overhead and AWS KMS API calls, which accounts for the higher cost compared to standard SSE-KMS. + +AWS KMS API calls, which accounts for the higher cost compared to standard SSE-KMS. + +API calls, which accounts for the higher cost compared to standard SSE-KMS. + @@ -11 +26 @@ When you use DSSE-KMS with an Amazon S3 bucket, the AWS KMS keys must be in the -There are additional charges for using DSSE-KMS and AWS KMS keys. For more information about DSSE-KMS pricing, see [AWS KMS key concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys) in the _AWS Key Management Service Developer Guide_ and [AWS KMS pricing](https://aws.amazon.com/kms/pricing). +There are additional charges for using DSSE-KMS compared to standard SSE-KMS due to the increased computational overhead of applying two layers of encryption and additional AWS KMS API calls required for the dual encryption process. For more information about DSSE-KMS pricing, see [AWS KMS key concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys) in the _AWS Key Management Service Developer Guide_ and [AWS KMS pricing](https://aws.amazon.com/kms/pricing). @@ -16,0 +32,17 @@ S3 Bucket Keys aren't supported for DSSE-KMS. +DSSE-KMS vs. standard SSE-KMS + +The key differences between DSSE-KMS and standard SSE-KMS are: + + * _Encryption layers:_ DSSE-KMS applies two independent layers of AES-256 encryption, while standard SSE-KMS applies one layer + + * _Security:_ DSSE-KMS provides enhanced protection against potential encryption vulnerabilities + + * _Compliance:_ DSSE-KMS helps meet regulatory requirements that mandate multilayer encryption + + * _Performance:_ DSSE-KMS has slightly higher latency due to additional encryption processing + + * _Cost:_ DSSE-KMS incurs higher charges due to increased computational overhead and additional AWS KMS operations + + + +