We can upload an object from the console with SSE-KMS as follows:
- Go to the bucket.
- Click Upload, click Add Files, select your file, and then click Next, selecting the defaults in the Set Properties tab.
- In the Set Properties tab, scroll down, select AWS KMS master key, and then select our KMS key (refer to the Getting ready section). Follow the options on the screen to complete the upload:
We can change encryption for an existing object to SSE-KMS as follows:
- Go to the object's Properties tab.
- Go to Encryption, select AWS-KMS, then select your KMS key (refer to the Getting ready section), and then click Save:
We can upload an object from the CLI with SSE-KMS using the following command:
aws s3 cp image-heartin-k.png s3://awsseccookbook/image-heartin-k.png
--sse aws:kms
--sse-kms-key-id cd6b3dff-cfe1-45c2-b4f8-b3555d5086df
--profile awssecadmin
sse-kms-key-id is the ID of the KMS key you created (refer to the Getting ready section).