What benefit is KMS s3 encryption in terms of security if IAM is already controlling access?
What if we have 2 private s3 buckets, one with SSE-KMS named: bucket-kms, one with no encryption: bucket-no-kms.
What is the benefit in security other than the consumer needing the additional KMS permissions? It feels like to me it is giving an additional sanity check, such as if somebody accidentally made bucket-kms public, or you granted access to some other identity, these mistakes would be protected against by also needing access to the KSM key, whereas bucket-no-kms would be exposed. But that isn't really additional security that is merely more difficult to make a mistake.
As far as security benefits the only scenario I can think of is if it were possible for a person to physically gain access to the particular hardware your s3 bucket was using they could read your vanilla data, and that would make a good case to use SSE-.., but again I would assume that this scenario is something AWS protects against in their processies .
I would also assume that the hardware for S3 is only used for that, and that there is no way to read what somebody else wrote to a particular s3 key, after they delete that bucket, so nobody could happen to read your data in an EBS volume by change etc.
I'm aware of other benefits as enable cloudtrail logs on your KMS key to again see who is reading your data, being able to write key policies etc. But is there any other security benefits I am missing other than that of what I have already stated that makes using KMS with s3 inherently more secure? I from my perspective I could still make organizational SCPs or IAM permission boundaries which could achieve these same extra permissions protections, similar to what SSE-KMS gives you.
TLDR;
What I am really asking is if IAM is going to block a hacker from getting to data in my bucket one way or another, what do I need KMS for?
The primary benefit is that your data is encrypted at rest.
The decision of when to use this comes down to if the data is sensitive in S3 (including DB backups) you should really encrypt it, the price is negligible for storing but if it became compromised (whether that's through access to your AWS console or CLI) the user cannot access this.
KMS uses envelope encryption for storing objects, the process can be a bit complicated but the general premise is the following:
- When you upload an object the S3 service will reach out to your KMS CMK (Customer Master Key) to generate a data encryption key. This data encryption key will be used to encrypt your object, then attached with your S3 object meta-data after being both base 64 encoded and encrypted by the CMK (This is provided to you).
- When you retrieve an object via S3, the S3 service will use the CMK to decrypt the data encryption key that was attached to your S3 object. Once this is decrypted the unencrypted data encryption key is used to decrypt the object then return it.
The data encryption key is very key here, the process (known as envelope encryption) actually requires 2 separate encryption keys to retrieve the object. When combined with key policies this helps to mitigate against data leakage even if you was compromised.
