Recently AWS launched Amazon S3 dual-layer server-side encryption with keys stored in AWS Key Management Service (DSSE-KMS), a new encryption option in Amazon S3 that applies two layers of encryption to objects when they are uploaded to an Amazon Simple Storage Service (Amazon S3) bucket.

The company designed DSSE-KMS to meet National Security Agency CNSSP 15 for FIPS compliance and Data-at-Rest Capability Package (DAR CP) Version 5.0 guidance for two layers of CNSA encryption. It will allow customers to use DSSE-KMS to fulfill regulatory requirements to apply multiple layers of encryption to their data.

With the launch of DSSE-KMS, Amazon S3 now offers four options for server-side encryption:

• Server-side encryption with Amazon S3 managed keys (SSE-S3)
• Server-side encryption with AWS KMS (SSE-KMS)
• Server-side encryption with customer-provided encryption keys (SSE-C)
• Dual-layer server-side encryption with keys stored in KMS (DSSE-KMS)

Source: https://aws.amazon.com/blogs/aws/new-amazon-s3-dual-layer-server-side-encryption-with-keys-stored-in-aws-key-management-service-dsse-kms/

DSSE-KMS allows users to indicate dual-layer server-side encryption (DSSE) when uploading or copying an object through a PUT or COPY request. Additionally, they can set up their S3 bucket so that DSSE is automatically applied to all new objects. By leveraging IAM and bucket policies, users can also enforce DSSE-KMS. Each encryption layer employs a distinct cryptographic implementation library with its own data encryption keys. Furthermore, DSSE-KMS helps protect sensitive data against the low probability of vulnerability in a single layer of cryptographic implementation.

Users can leverage DSSE-KMS via the AWS CLI, AWS Management Console, or using the Amazon S3 REST API.

Regarding the DSSE-KMS, Rob Fuller, a Red Team tactics trainer, tweeted:

If you didn't see this, please go have your cloud teams (or if that's you) enable this today (or your next maintenance window).

In addition, Irshad A Buchh, a principal solutions architect at AWS, states in an AWS News blog post:

Amazon S3 is the only cloud object storage service where customers can apply two layers of encryption at the object level and control the data keys used for both layers. DSSE-KMS makes it easier for highly regulated customers to fulfill the rigorous security standards, such as the US Department of Defense (DoD) customers.

Meanwhile, in a LinkedIn post about DSSE-KMS by Joshua Bregler, a senior security manager at McKinsey Digital, Kieran Miller, a chief architect at Garantir, commented:

Dual encryption is great if the keys are stored separately and under control of different entities. What's the threat model for this use case where both keys are stored in your AWS KMS account and all the encryption happens server-side? Is it likely that I would compromise one KMS key but not the other?

I suppose I could see value if one of the KMS keys is stored externally via AWS KMS External Key Store or in another account under a different entity's control. Are these use cases supported?

Currently, Amazon S3 dual-layer server-side encryption with keys stored in AWS KMS (DSSE-KMS) is available today in all AWS Regions, and its pricing details are available on the Amazon S3 pricing page (Storage tab) and the AWS KMS pricing page.