AWS S3 |桶键已启用 [英] aws s3 | bucket key enabled

问题描述

S3最近宣布了"bucket_key_enabled"消息.缓存用于加密存储桶内容的kms密钥的选项，从而减少了kms服务器的调用次数.

S3 has recently announced "bucket_key_enabled" option to cache the kms key used to encrypt the bucket contents so that the number of calls to the kms server is reduced.

https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html

因此，如果该存储桶配置有

So if that the bucket is configured with

• 默认情况下启用服务器端加密
• 使用kms键"key/arn1"对于以上
• 通过选择启用存储桶密钥"，我们正在缓存"key/arn1".因此该存储桶中的每个对象都不需要调用kms服务器(也许在内部它具有生存时间等，但是最重要的是，该密钥已缓存，因此可以避免kms限制错误)

鉴于所有这些，在对象级别覆盖kms密钥并且仍然具有此"bucket_key_enabled"的意义是什么?设置吗?

Given all that, what is the point of overriding kms key at object level and still having this "bucket_key_enabled" set?

例如:

bucket/       -> kms1 & bucket_key_enabled
bucket/prefix1 -> kms2 & bucket_key_enabled

s3是否确实将对象键缓存到kms键映射?

Does s3 actually cache the object-key to kms-key map?

为了给您提供背景信息，我目前拥有将数据发布到以下结构的应用程序

To give you the context, I currently have the application which publishes data to the following structure

bucket/user1 
bucket/user2 

在发布到这些存储桶时，它显式传递了为每个对象上载的用户分配的kms密钥.

While publishing to these buckets, it explicitly passed kms key assigned per user for each object upload.

bucket/user1/obj1 with kms-user-1
bucket/user1/obj2 with kms-user-1
bucket/user1/obj3 with kms-user-1


bucket/user2/obj1 with kms-user-2
bucket/user2/obj2 with kms-user-2
bucket/user2/obj3 with kms-user-2

如果s3足够聪明，可以将其简化为以下地图，

if s3 is smart enough to reduce this to the following map,

bucket/user1 - kms-user-1
bucket/user2 - kms-user-2

我要做的就是将sdk库升级到最新版本，并在我们拥有的s3Client包装器中的putObjectRequest中添加 withBucketKeyEnabled(true).

All I have to do is, upgrade the sdk library to latest version and add a withBucketKeyEnabled(true) to the putObjectRequest in the s3Client wrapper we have.

让我知道它在内部如何工作，以便我们可以明智地使用此功能.

Let me know how it works internally so that we can make use of this feature wisely.

推荐答案

我最终将sdk升级到最新版本，并将 withBucketKeyEnabled(true)传递给putObject API调用.

I finally went with upgrading the sdk to latest version and passing withBucketKeyEnabled(true) to putObject API calls.

我能够通过云追踪证明，对kms服务器的呼叫次数是相同的，而与在存储桶级别或每个"存储桶级别设置的加密和bucketKeyEnabled无关.对象级别.

I was able to prove with cloud trail that the number of calls to kms server is the same regardless of encryption and bucketKeyEnabled set at bucket level or at "each" object level.

kms-key和bucketKeyEnabled = true在存储桶级别.在putObject()调用时未传递任何加密选项

对GenerateDataKey()= 10的调用

Calls made to GenerateDataKey() = 10

对Decrypt()= 60的调用

Calls made to Decrypt() = 60

s3存储桶中没有加密设置.对于每个putObject()调用，我都要传递kms-key和bucketKeyEnabled = true.

PutObjectRequest(bucketName, key, inputStream, objectMetadata)
.withSSEAwsKeyManagementParams(SSEAwsKeyManagementParams(keyArn))
.withBucketKeyEnabled<PutObjectRequest>(true)

对GenerateDataKey()= 10的调用

Calls made to GenerateDataKey() = 10

对Decrypt()= 60的调用

Calls made to Decrypt() = 60

禁用此选项，如下所示，

With this option disabled like below,

PutObjectRequest(bucketName, key, inputStream, objectMetadata)
.withSSEAwsKeyManagementParams(SSEAwsKeyManagementParams(keyArn))

对GenerateDataKey()= 10011的调用

Calls made to GenerateDataKey() = 10011

对Decrypt()= 10002的调用

Calls made to Decrypt() = 10002

因此，我能够得出结论，无论您是在存储桶级别还是在对象级别进行设置， bucketKeyEnabled 都可以工作.虽然，我不知道如何针对内部两种访问模式对其进行优化

Thus I was able to conclude that bucketKeyEnabled works regardless of whether you set at the bucket level or object level. Although, I do not know how it is optimized for both access patterns internally

这篇关于AWS S3 |桶键已启用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！