How to protect data using client-side encryption
To protect data using client-side encryption with AWS KMS-managed Customer Master Key (CMK) and client-side master key, you can specify client-side encryption using AWS SDKs. You can choose two options to manage the encryption keys:
When using client-side encryption, AWS SDKs use Amazon S3 encryption client to encrypt data and the data is encrypted before sending to the S3 bucket. Amazon S3 just receives encrypted data and does not encrypt or decrypt the data. Client-side encryption has two options for using encryption keys.
AWS KMS-managed customer master key (CMK)
When using the Amazon S3 encryption client in the AWS SDK, the client calls AWS KMS to verify that the user is allowed to use the customer master key. If so, KMS returns two versions of the data encryption key; a plaintext data key and a cipher blob of the data key encrypted with the customer master key. The encryption client later encrypts the data using the plaintext key and removes...