- Encryption:
-
- The client will use an AWS SDK, and in this example, the Java client, which will create a randomly generated plaintext data key, which is then used to encrypt the object data
- A CMK created by the customer then encrypts this plaintext data key
- At this point, the encrypted data key and the encrypted object data is sent from the client to S3 for storage
- S3 then takes the encrypted data key and associates it with the encrypted object and stores both on S3
- Decryption:
-
- A user requests access to the encrypted object on S3.
- S3 responds by sending the requested object data, along with the associated encrypted data key, back to the client
- Using the AWS SDK, the customer's CMK is then used with the encrypted data key to generate a plaintext version of that same data key
- The encrypted object can then be decrypted using the plaintext data key, and its contents can be accessed
As with CSE-KMS, you can see here that all encryption/decryption operations are handled by the client itself. The server (S3) is not involved with this process other than storing the encrypted data which is sent to it.