If you have not gone through the AWS Cost Optimization – Part1 blog, I insist on going through that first. I have discussed cloud computing, AWS 6 pillar of good architect software products and cost optimization considerations concerning data transfer cost.
Here we will discuss cost optimization steps for AWS S3 object encryption cost.
Key Management Service (KMS)
We know that KMS is used to keep and manage keys to encrypt and decrypt data at rest.
- AWS-owned key – Free.
- AWS managed key - No monthly fee; however, Per-use/API call fee.
- The customer ordered the key – Monthly and Per-use/API call fee.
S3 Object Encryption Cost Optimization for Server-side Encryption using AWS Managed Key. (SSE-KMS) using S3 Bucket Keys.
Using S3 bucket-level key for SSE-KMS, we can reduce AWS KMS request costs by up to 99 per cent by decreasing the request traffic from Amazon S3 to AWS KMS. When configuring AWS KMS keys using SSE-KMS, we can configure the bucket to use an S3 Bucket Key for SSE-KMS on new objects.
**Using the AWS CLI, enable default bucket encryption with SSE-KMS and an S3 Bucket Key. **
aws s3api put-bucket-encryption --bucket EXAMPLE-BUCKET --server-side-encryption-configuration '{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "KMS-Key-ARN"
},
"BucketKeyEnabled": true
}
]
}'
We can configure S3 Bucket Key using SDK, REST API, CloudFormation and AWS Console. Check AWS Documentation for more detail.
When S3 Bucket Key is enabled for the source/destination bucket, the encryption context will be the S3 ARN and not the object ARN, like., arn:aws:s3:::bucket_ARN. You need to update your IAM policies to use the bucket ARN for the encryption context.
A unique bucket-level key is generated for each requester to ensure an AWS KMS CloudTrail event captures the requester. Existing objects from the S3 bucket will not use S3 Bucket Key. We can use a COPY operation to configure an S3 Bucket Key for living things. During the COPY operation, we need to add the “x-amz-server-side-encryption-bucket-key-enabled” request header with a “true” or “false” value.
In wrapping up our exploration of unconventional strategies for AWS cost optimization, we've delved into a realm of possibilities beyond surface-level tactics. Part 2 has expanded upon the foundation laid in Part 1, presenting you with even more innovative ways to streamline your AWS expenses and resource utilization.
That’s it from the blog. In the next part of the AWS cost optimization blog series, let's discuss more exciting steps. Please follow Aspire Softserv Pvt. Ltd and our LinkedIn profile to keep up to date about upcoming Blogs or Contact us to solve your business problems with our expert team.
