S3 DSSE-KMS (Dual-Layer Server-Side Encryption)

Introducing S3 DSSE-KMS (Dual-Layer Server-Side Encryption)

DSSE-KMS is like a double layer of security for your data without the need for fancy equipment. It uses two layers of encryption, both using the super secure 256-bit Advanced Encryption Standard with Galois Counter Mode (AES-GCM) algorithm. It teams up with AWS Key Management Service (AWS KMS) to let you create data keys. That way, you’re in control with customizable permissions and key rotation schedules.

But what’s AWS Key Management Service (KMS)?

AWS KMS is a handy tool that takes care of encryption keys for you. It’s fully managed and plays nicely with various AWS services, including Amazon S3. It’s like your central hub for keeping keys secure.

When to Use DSSE-KMS

Let’s see when DSSE-KMS is your go-to choice:12

Regulatory Compliance: Say you’re in healthcare and need to stash sensitive patient records in Amazon S3. Regulations demand top-notch encryption to safeguard patient data. DSSE-KMS is your knight in shining armor, helping you stay compliant and keeping those records safe.

Enhanced Security Requirements: If you deal with super-sensitive data like intellectual property or personal info (PII), DSSE-KMS is your sidekick. Imagine a financial institution holding customer financial records in Amazon S3. DSSE-KMS acts as an extra layer of security to keep that data locked up.

Industry Best Practices: Using DSSE-KMS isn’t just smart; it’s what the pros do. It shows you’re serious about data security and boosts your organization’s overall safety. It’s like wearing your seatbelt – it’s just the right thing to do.

Implementing DSSE-KMS in Amazon S3: A Step-by-Step Guide

Let’s make this practical with a real-world example. Imagine you’re XYZ Corp, a software company, and you want to keep your source code safe in Amazon S3 using DSSE-KMS.3

Step 1: Creating an AWS KMS Key

Start by heading to the AWS Management Console. Find AWS KMS and click “Create key.” Set up your key with the right settings. This key will do the heavy lifting for encrypting and decrypting data encryption keys used by Amazon S3.

Step 2: Configuring Bucket-Level Encryption

Choose your S3 bucket or create a new one to store your source code. In the bucket settings, turn on default encryption and pick DSSE-KMS as your encryption option. Select the AWS KMS key you created in the previous step.

Step 3: Uploading Objects with DSSE-KMS

To upload your source code files securely with DSSE-KMS encryption, you’ll use the AWS Command Line Interface (CLI). Run a command like this to upload a file named “app.py” to your encrypted S3 bucket:

aws s3api put-object --bucket xyz-corp-bucket --key app.py --server-side-encryption aws:kms:dsse --ssekms-key-id <KMS_KEY_ID> --body app.py

This command tells AWS to use DSSE-KMS for encryption and specifies the AWS KMS key ID to use.

Step 4: Retrieving and Decrypting Objects

When you need to grab your objects, it’s easy. You can access your DSSE-KMS encrypted source code files just like normal. Amazon S3 takes care of decrypting it for you. For example, to get the “app.py” file, use this command:

aws s3api get-object --bucket xyz-corp-bucket --key app.py app.py

Amazon S3 does the decryption using the right AWS KMS key, so you can work with your source code securely.

Best Practices and Considerations

Here are some things to keep in mind:

Key Management and Access Control: Make sure your AWS KMS keys are locked up tight. Use strong access controls, give permissions sparingly, and stick to key rotation schedules as per your security policies.

Monitoring and Auditing: Keep an eye on who’s touching your DSSE-KMS encrypted objects. Tools like AWS CloudTrail and Amazon S3 access logs help you track key usage and spot any unauthorized access.


  1. New – Amazon S3 Dual-Layer Server-Side Encryption with Keys Stored in AWS Key Management Service (DSSE-KMS) | Amazon Web Services. (2023, June 20). Amazon Web Services. https://aws.amazon.com/blogs/aws/new-amazon-s3-dual-layer-server-side-encryption-with-keys-stored-in-aws-key-management-service-dsse-kms/ ↩︎
  2. Verma, A. K. (2023, June 19). Newly Launched Dual-Layer Server-Side Encryption with Keys Stored in AWS Key Management Service for AWS S3. Medium. https://medium.com/@a.verma2609/newly-launched-dual-layer-server-side-encryption-with-keys-stored-in-aws-key-management-service-for-e3133a9b3a85 ↩︎
  3. Specifying dual-layer server-side encryption with AWS KMS keys (DSSE-KMS) – Amazon Simple Storage Service. (n.d.). https://docs.aws.amazon.com/AmazonS3/latest/userguide/specifying-dsse-encryption.html ↩︎