DSSE-KMS (Dual-Layer Server-Side Encryption with AWS Key Management Service) is an Amazon S3 encryption option that applies two layers of encryption to objects at rest, providing enhanced security. It helps meet strict compliance requirements (like CNSSP 15) by using AWS KMS keys to encrypt data twice, offering superior protection for highly sensitive workloads.
Key Features and Benefits
Dual-Layer Protection: Uses two distinct cryptographic libraries and data keys to encrypt objects, providing a higher level of assurance than single-layer encryption.
KMS Key Management: Uses AWS KMS to manage the master keys, allowing users to define permissions and audit usage.
Compliance Ready: Designed to meet rigorous standards, including the National Security Agency (NSA) CNSSP 15 for two layers of Commercial National Security Algorithm (CNSA) encryption.
Easy Implementation: Can be configured as the default encryption for an S3 bucket or specified in PUT/COPY requests.
Enforceable Security: IAM and bucket policies can be used to enforce this encryption type, ensuring all uploaded data is encrypted.
DSSE-KMS is particularly aimed at US Department of Defense (DoD) customers and other industries requiring top-secret data handling
No comments:
Post a Comment