Server-side encryption with KMS
To use the customer master key managed by AWS Key Management Service (AWS KMS) and enable the encryption with KMS, you need to create a KMS policy.
You can perform the following operations to use the temporary security credentials and enable the encryption with KMS:
- •GenerateDataKey
- •DescribeKey
- •Encrypt
- •Decrypt
- •ReEncrypt
See the following sample KMS policy for reference:
{
"Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Action":[ "kms:GenerateDataKey", "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ], "Resource": ["arn:aws:kms:region:account:key/<KMS_key>"]
}
]
}
When you configure KMS and access an Amazon S3 endpoint in the China region, use the following sample policy:
{
"Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Action":[ "kms:GenerateDataKey", "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ], "Resource": ["arn:aws-cn:kms:region:account:key/<KMS_key>"]
}
]
}