Home > Software design >  s3-sse bucket encryption - how does AWS keep track of all keys?
s3-sse bucket encryption - how does AWS keep track of all keys?

Time:01-24

With AWS S3-SSE, each object is encrypted with a new key.

Has amazon a list for each bucket and it's corresponding key?

What is the advantage of having multiple keys? If you get ahold of one key, would it not be probable to get ahold of all keys?

CodePudding user response:

With AWS S3-SSE, each object is encrypted with a new key.

Here, we are talking about the data keys.

Has amazon a list for each bucket and it's corresponding key?

Since each object is encrypted with a new data key, AWS absolutely needs to keep track of which object is encrypted with which key. The way that S3 keeps track of the keys is to store the encrypted data key as metadata along with the object.

Ref: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#aws-managed-customer-managed-keys

What is the advantage of having multiple keys?

Security!

If you get ahold of one key, would it not be probable to get ahold of all keys?

Maybe. If all objects are encrypted with the same data key, and when that data key leaked, all your objects are at risk.

  • Related