Primary Storage

 View Only

Understanding SSE Behaviour During S3 Object Copy Within the Same Bucket

By Krishna Ramaswamy posted Wed November 27, 2024 08:57 AM

  
Problem Statement:
 
    (Q) : when using S3 copy with SSE(Server-Side Encryption), if an object within an encrypted bucket is copied to another object with a different name within the same bucket, 
    will the encryption attributes (e.g., KMSMasterKeyID) remain the same?
 
    A. Yes, when using S3 copy with Server-Side Encryption (SSE) and copying an object within the same bucket (even with a different name), the encryption attributes, such as the KMSMasterKeyID, will remain the same if you do not explicitly specify new encryption settings during the copy operation.
 
Details:
 
a. SSE-S3: If the original object was encrypted with SSE-S3 (AWS-managed keys), the copied object will also be encrypted with SSE-S3 by default.
 
b. SSE-KMS: If the original object was encrypted with SSE-KMS (using a specific KMSMasterKeyID), the copied object will retain the same KMSMasterKeyID unless explicitly overridden during the copy operation.
 
c. SSE-C: If using SSE-C (customer-provided keys), you must provide the same encryption key during the copy operation; otherwise, the copy will fail.
 
Considerations:
The x-amz-server-side-encryption header controls the encryption settings during the copy. If this header is not specified in the copy request, 
S3 will default to retaining the encryption configuration of the source object.If you explicitly set a different encryption configuration in the copy request, the new object will have the specified encryption settings.
 Summary:
In summary, for a simple copy operation within the same bucket without overriding encryption settings, the encryption attributes like KMSMasterKeyID will stay the same
0 comments
12 views

Permalink