For example, if the team that owns permissions to the S3 bucket mistakenly grants access to unauthorized users, when those users attempt to access objects in S3 they will fail. This model ensures that configuration errors made by only one of these teams won’t compromise the data in ways that grant unauthorized access to plaintext data. They want to enforce a separation of duties between which team manages access to the storage layer and which team manages access to the encryption keys.
However, many customers want to extend the value of encryption beyond basic protection against unauthorized access to the storage layer where the data resides.
This approach is well-understood, documented, and widely implemented. Typically, when you protect data in Amazon Simple Storage Service (Amazon S3), you use a combination of Identity and Access Management (IAM) policies and S3 bucket policies to control access, and you use the AWS Key Management Service (AWS KMS) to encrypt the data. To prevent breaking changes, AWS KMS is keeping some variations of this term. August 31, 2021:AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key.
0 kommentar(er)
