Amazon S3 dual-layer server-side encryption with AWS KMS (DSSE-KMS)

· 2 min read
Amazon S3 dual-layer server-side encryption with AWS KMS (DSSE-KMS)

Amazon S3 has recently added support for two independent layers of server-side encryption with AWS KMS (DSSE-KMS) for top-secret workloads. With this launch, Amazon S3 is the only cloud object storage service that supports multi layers of server-side encryption at object level.

"DSSE-KMS is designed to meet National Security Agency CNSSP 15 for FIPS compliance and Data-at-Rest Capability Package (DAR CP) Version 5.0 guidance for two layers of CNSA encryption." -- AWS News Blog

CNSA - Commercial National Security Algorithm Suite
CNSSP - Committee on National Security Systems Policy

Each layer of encryption uses a different implementation of 256-bit Advanced Encryption Standard with Galois Counter Mode (AES-GCM) algorithm with individual data encryption key.

It uses AWS Key Management Service (AWS KMS) for generating data key. So, you have full control on the KMS key permission settings and rotation schedules using AWS Key Management Service (KMS).

Video Tutorial & Demo:


It is great for appllications that require

  • rigorous security standards
  • regulatory compliance for data security
  • top-secret workloads such as National Security Systems or US Department of Defense (DoD) customers

For protecting data at rest in Amazon S3, we have now 4 different options for Server-side encryption

  • Server-side encryption with Amazon S3 managed keys (SSE-S3)
  • Server-side encryption with AWS KMS (SSE-KMS)dual-layer
  • Server-side encryption with AWS KMS keys (DSSE-KMS)
  • Server-side encryption with customer-provided keys (SSE-C)
S3 Bucket Key is not supported for dual-layer server-side encryption with KMS keys (DSSE-KMS)
Amazon S3 supports only symmetric encryption KMS keys.

DSSE-KMS can be used using Amazon S3 console, Amazon S3 REST API, and the AWS Command Line Interface (AWS CLI).

If it is specified at S3 bucket level, then encryption will be applied on all new objects by default.

Amazon S3 Server-side encryption setting DDSE-KMS

For REST API, following headers need to be passed with PUT or COPY request x-amz-server-side-encryption: aws:kms:dsse and x-amz-server-side-encryption-aws-kms-key-id: <key-id>.  If KMS key ARN is not passed then, AWS managed key (aws/s3) will be used by default.

In AWS CLI, to create an object pass following options --server-side-encryption aws:kms:dsse and --ssekms-key-id <key-id>. If --ssekms-key-id is not provided then AWS managed key (aws/s3) will be used.

aws s3api put-object --bucket <bucket> --key <object-key> --server-side-encryption aws:kms:dsse --ssekms-key-id <key-id> --body filepath

To enforce dual-layer encryption, IAM and Bucket policies can be used.

Sample Bucket Policy:

  "Version": "2012-10-17",
  "Id": "PutObjectPolicy",
  "Statement": [
      "Sid": "DenyObjectUploadsWithoutDSSE",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::<my-bucket>/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms:dsse"