I covered this in the previous chapter, but for completeness, I will reiterate the process in this section, too.
This diagram shows the five-step encryption process when using SSE-KMS:
Let's understand the process:
- Firstly, the client identifies the object(s) that are to be uploaded to S3, indicating SSE-KMS as the encryption mechanism, selecting either an AWS-managed or customer-managed CMK.
- Amazon S3 will respond by initiating a request to generate Data Encryption Keys (DEKs) from KMS to allow S3 to encrypt the data submitted by the client.
- Using the CMK selected in step 1, KMS will then generate two data keys: a plaintext data key and an encrypted version of that same data key.
- KMS will send both of these data keys back to S3 to allow S3 to begin the encryption process using the plaintext data key.
- At this stage, S3 then encrypts the object data with the plaintext version of the data key and stores the resulting...