SSE-KMS

In SSE-KMS mode, OBS uses the keys provided by KMS for server-side encryption. When an object encrypted using SSE-KMS is added to a bucket in a region for the first time, OBS creates a default customer master key (CMK), which is used to encrypt and decrypt the keys provided by KMS. The SSE-KMS mode does not support the keys created by customers. The bucket ACL and policy do not allow cross-tenant authorized access to objects encrypted using SSE-KMS.

Two headers are added to support SSE-KMS in SSE-KMS mode.

x-amz-server-side-encryption

Indicates that SSE-KMS is used. Objects are encrypted using SSE-KMS.

Example:

x-amz-server-side-encryption:aws:kms

x-amz-server-side-encryption-aws-kms-key-id

Indicates the master key ID of an encrypted object. This header is used in SSE-KMS mode. If the customer does not provide the master key, the default master key will be used.

Example:

x-amz-server-side-encryption-aws-kms-key-id:arn:aws:kms:sichuan:domainiddomainiddomainiddoma0001:key/4f1cd4de-ab64-4807-920a-47fc42e7f0d0

Table 1 Interfaces to which the newly added headers apply

Interfaces

PUT Object

POST Object

PUT Object - Copy (the newly added headers apply to target objects)

Initiate Multipart Upload

OBS supports bucket policies. You can use a bucket policy to implement server-side encryption on all the objects stored in a bucket. For example, a tenant's object upload request does not contain the header x-amz-server-side-encryption:"aws:kms" for server-side encryption (SSE-KMS), the following bucket policy will reject the upload request.

{

"Version":"2008-10-17",

"Id":"PutObjPolicy",

"Statement":[{

"Sid":"DenyUnEncryptedObjectUploads",

"Effect":"Deny",

"Principal":"*",

"Action":"s3:PutObject",

"Resource":"arn:aws:s3:::YourBucket/*",

"Condition":{

"StringNotEquals":{

"s3:x-amz-server-side-encryption":"aws:kms"

}

}

}

}

Registration