How can the user achieve this?

By:
In: SOA-C01
Tagged:
With: 1 Comment
A storage admin wants to encrypt all the objects stored in S3 using server side encryption.The user does not want to use the AES 256 encryption key provided byS3.

How can the user achieve this?

The admin should upload his secret key to the AWS console and let S3 decrypt the objects

The admin should use CLI or API to upload the encryption key to the S3 bucket. When making a call to the S3 API mention the encryption key URL in each request

S3 does not support client supplied encryption keys for server side encryption

The admin should send the keys and encryption algorithm with each API call

Explanations:

S3 does not support uploading a secret key directly to the AWS console for automatic decryption of objects. Instead, S3 uses managed keys or customer-managed keys for encryption.

S3 does support client-supplied encryption keys, but the encryption key should be supplied during the API call, not uploaded to the S3 bucket. Additionally, each request would require the encryption key to be provided in the headers.

S3 does support client-supplied encryption keys for server-side encryption, using the SSE-C (Server-Side Encryption with Customer-Provided Keys) feature.

To use client-supplied encryption keys, the admin must send the encryption key and the algorithm (e.g., AES-256) with each API call to S3, using the appropriate headers for the encryption process.

2025-09-28

1 Comment

  1. Keith
    Author

    I evaluate that the answer is:
    The admin should send the keys and encryption algorithm with each API call

Leave a Reply

Your email address will not be published. Required fields are marked *

19 − ten =