# Protecting S3 table data with encryption
# Using server-side encryption with AWS KMS keys (SSE-KMS) in table buckets
**Topics**
+ [How SSE-KMS works for tables and table buckets](#kms-tables-how)
+ [Enforcing and scoping SSE-KMS use for tables and table buckets](tables-require-kms.md)
+ [Monitoring and Auditing SSE-KMS encryption for tables and table buckets](#kms-tables-audit)
+ [Permission requirements for S3 Tables SSE-KMS encryption](s3-tables-kms-permissions.md)
+ [Specifying server-side encryption with AWS KMS keys (SSE-KMS) in table buckets](s3-tables-kms-specify.md)
Table buckets have a default encryption configuration that automatically encrypts tables by using server-side encryption with Amazon S3 managed keys (SSE-S3). This encryption applies to all tables in your S3 table buckets, and comes at no cost to you.
If you need more control over your encryption keys, such as managing key rotation and access policy grants, you can configure your table buckets to use server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS). The security controls in AWS KMS can help you meet encryption-related compliance requirements. For more information about SSE-KMS, see [Using server-side encryption with AWS KMS keys (SSE-KMS)](UsingKMSEncryption.md).
## How SSE-KMS works for tables and table buckets
SSE-KMS with table buckets differs from SSE-KMS in general purpose buckets in the following ways:
+ You can specify encryption settings for table buckets and individual tables.
+ You can only use customer managed keys with SSE-KMS. AWS managed keys aren't supported.
+ You must grant permissions for certain roles and AWS service principals to access your AWS KMS key. For more information, see [Permission requirements for S3 Tables SSE-KMS encryption](s3-tables-kms-permissions.md). This includes granting access to:
+ The S3 maintenance principal – for performing table maintenance on encrypted tables
+ Your S3 Tables integration role – for working with encrypted tables in AWS analytics services
+ Your client access role – for direct access to encrypted tables from Apache Iceberg clients
+ The S3 Metadata principal – for updating encrypted S3 metadata tables
+ Encrypted tables use table-level keys that minimize the number of requests made to AWS KMS to make working with SSE-KMS encrypted tables more cost effective.
**SSE-KMS encryption for table buckets**
When you create a table bucket, you can choose SSE-KMS as the default encryption type and select a specific KMS key that will be used for encryption. Any tables created within that bucket will automatically inherit these encryption settings from their table bucket. You can use the AWS CLI, S3 API, or AWS SDKs to modify or remove the default encryption settings on a table bucket at any time. When you modify the encryption settings on a table bucket those settings apply only to new tables created in that bucket. Encryption settings for pre-existing tables are not changed. For more information, see [Specifying encryption for table buckets](s3-tables-kms-specify.md#specify-kms-table-bucket).
**SSE-KMS encryption for tables**
You also have an option to encrypt an individual table with a different KMS key regardless of the bucket's default encryption configuration. To set encryption for an individual table, you must specify the desired encryption key at the time of table creation. If you want to change the encryption for an existing table, then you'll need to create a table with desired key and copy data from old table to the new one. For more information, see [Specifying encryption for tables](s3-tables-kms-specify.md#specify-kms-table).
When using AWS KMS encryption, S3 Tables automatically creates unique table-level data keys that encrypt new objects associated with each table. These keys are used for a limited time period, minimizing the need for additional AWS KMS requests during encryption operations and reducing the cost of encryption. This is similar to [S3 Bucket Keys for SSE-KMS](bucket-key.md#bucket-key-overview).
# Enforcing and scoping SSE-KMS use for tables and table buckets
You can use S3 Tables resource-based policies, KMS key policies, IAM identity-based policies, or any combination of these, to enforce the use of SSE-KMS for S3 tables and table buckets. For more information on identity and resource polices for tables, see [Access management for S3 Tables](s3-tables-setting-up.md). For information on writing key policies, see [Key policies](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the *AWS Key Management Service Developer Guide*. The following examples show how you can use policies to enforce SSE-KMS.
## Enforcing the use of SSE-KMS for all tables with a table bucket policy
This is an example of table bucket policy that prevents users from creating tables in a specific table bucket unless they encrypt tables with a specific AWS KMS key. To use this policy, replace the *user input placeholders* with your own information:
------
#### [ JSON ]
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "EnforceKMSEncryptionAlgorithm",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3tables:CreateTable"
],
"Resource": [
"arn:aws:s3tables:us-west-2:111122223333:bucket/example-table-bucket/*"
],
"Condition": {
"StringNotEquals": {
"s3tables:sseAlgorithm": "aws:kms"
}
}
},
{
"Sid": "EnforceKMSEncryptionKey",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3tables:CreateTable"
],
"Resource": [
"arn:aws:s3tables:us-west-2:111122223333:bucket/example-table-bucket/*"
],
"Condition": {
"StringNotEquals": {
"s3tables:kmsKeyArn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
}
}
]
}
```
------
## Requiring users to use SSE-KMS encryption with an IAM policy
This IAM identity policy requires users to use a specific AWS KMS key for encryption when creating or configuring S3 Tables resources. To use this policy, replace the *user input placeholders* with your own information:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RequireSSEKMSOnTables",
"Action": [
"s3tables:CreateTableBucket",
"s3tables:PutTableBucketEncryption",
"s3tables:CreateTable"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"s3tables:sseAlgorithm": "aws:kms"
}
}
},
{
"Sid": "RequireKMSKeyOnTables",
"Action": [
"s3tables:CreateTableBucket",
"s3tables:PutTableBucketEncryption",
"s3tables:CreateTable"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"s3tables:kmsKeyArn": ""
}
}
}
]
}
```
## Restricting the use of a key to a specific table bucket with a KMS key policy
This example KMS key policy allows the key to be used by a specific user only for encryption operations in a specific table bucket. This type of policy is useful for limiting access to a key in cross-account scenarios. To use this policy, replace the *user input placeholders* with your own information:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "Id",
"Statement": [
{
"Sid": "AllowPermissionsToKMS",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:s3:arn": "/*"
}
}
}
]
}
```
------
## Monitoring and Auditing SSE-KMS encryption for tables and table buckets
To audit the usage of your AWS KMS keys for your SSE-KMS encrypted data, you can use AWS CloudTrail logs. You can get insight into your [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations), such as `GenerateDataKey` and `Decrypt`. CloudTrail supports numerous [attribute values](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html) for filtering your search, including event name, user name, and event source.
You can track encryption configuration requests for Amazon S3 tables and table buckets by using CloudTrail events. The following API event names are used in CloudTrail logs:
+ `s3tables:PutTableBucketEncryption`
+ `s3tables:GetTableBucketEncryption`
+ `s3tables:DeleteTableBucketEncryption`
+ `s3tables:GetTableEncryption`
+ `s3tables:CreateTable`
+ `s3tables:CreateTableBucket`
**Note**
EventBridge isn't supported for table buckets.
# Permission requirements for S3 Tables SSE-KMS encryption
When you use server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) for tables in S3 table buckets you need to grant permissions for different identities in your account. At minimum your access identity and the S3 Tables maintenance principal need access to your key, the other permissions required depend on your use case.
**Required Permissions**
To access a table encrypted with a KMS key, you need these permissions on that key:
+ `kms:GenerateDataKey`
+ `kms:Decrypt`
To use SSE-KMS on tables the Amazon S3 Tables maintenance service principal (`maintenance.s3tables.amazonaws.com`) needs `kms:GenerateDataKey` and `kms:Decrypt` permissions on the key.
**Additional permissions**
These additional permissions are required depending on your use case:
+ **Permissions for AWS analytics services and direct access** – If you work with SSE-KMS encrypted tables through AWS analytics services or third-party engines accessing S3 tables directly, the IAM role you use needs permission to use your KMS key.
+ **Permissions with Lake Formation enabled** – If you have opted in to AWS Lake Formation for access control, the Lake Formation service role needs permission to use your KMS key.
+ **Permissions for S3 Metadata tables** – If you use SSE-KMS encryption for S3 Metadata tables, you need to provide the S3 Metadata service principal (`metadata.s3.amazonaws.com`) access to your KMS key. This allows S3 Metadata to update encrypted tables so they will reflect your latest data changes.
**Note**
For cross-account KMS keys, your IAM role needs both key access permission and explicit authorization in the key policy. For more information about cross-account permissions for KMS keys, see [Allowing external AWS accounts to use a KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html#cross-account-console) in the *AWS Key Management Service Service Developer Guide*.
**Topics**
+ [Granting the S3 Tables maintenance service principal permissions to your KMS key](#tables-kms-maintenance-permissions)
+ [Granting IAM principals permissions to work with encrypted tables in integrated AWS analytics services](#tables-kms-integration-permissions)
+ [Granting IAM principals permissions to work with encrypted tables when Lake Formation is enabled](#tables-kms-lf-permissions)
+ [Granting the S3 Metadata service principal permissions to use your KMS key](#tables-kms-metadata-permissions)
## Granting the S3 Tables maintenance service principal permissions to your KMS key
This permission is required to create SSE-KMS encrypted tables and to allow automatic table maintenance like compaction, snapshot management, and unreferenced file removal on the encrypted tables.
**Note**
Whenever you make a request to create an SSE-KMS encrypted table, S3 Tables checks to make sure the `maintenance.s3tables.amazonaws.com` principal has access to your KMS key. To perform this check, a zero-byte object is temporarily created in your table bucket, this object will be automatically removed by the [unreferenced file removal](s3-table-buckets-maintenance.md#s3-table-bucket-maintenance-unreferenced) maintenance operations. If the KMS key you specified for encryption doesn’t have maintenance access the createTable operation will fail.
To grant maintenance access on SSE-KMS encrypted tables, you can use the following example key policy. In this policy, the `maintenance.s3tables.amazonaws.com` service principal is granted permission to use a specific KMS key for encrypting and decrypting tables in a specific table bucket. To use the policy, replace the *user input placeholders* with your own information:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "EnableKeyUsage",
"Effect": "Allow",
"Principal": {
"Service": "maintenance.s3tables.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:s3:arn":"/*"
}
}
}
]
}
```
------
## Granting IAM principals permissions to work with encrypted tables in integrated AWS analytics services
To work with S3 tables in AWS analytics services, you integrate your table buckets with AWS Glue Data Catalog. This integration allows AWS analytics services to automatically discover and access table data. For more information on the integration, see [Integrating Amazon S3 Tables with AWS analytics services](s3-tables-integrating-aws.md).
When you work with SSE-KMS encrypted tables through AWS analytics services or third-party and open-source engines accessing S3 tables directly, the IAM role you use needs permission to use your AWS KMS key for encryption operations.
You can grant KMS key access through an IAM policy attached to your role or through a KMS key policy.
------
#### [ IAM policy ]
Attach this inline policy to the IAM role you use for querying to allow KMS key access. Replace the KMS key ARN with your own.
```
{
"Version":"2012-10-17", ,
"Statement": [
{
"Sid": "AllowKMSKeyUsage",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
]
}
```
------
#### [ KMS key policy ]
Alternatively, attach this statement to your KMS key policy to allow the specified IAM role to use the key. Replace the role ARN with the IAM role you use for querying.
```
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:::role/"
]
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
],
"Resource": "*"
}
```
------
## Granting IAM principals permissions to work with encrypted tables when Lake Formation is enabled
If you have opted in to AWS Lake Formation for access control on your S3 Tables integration, the Lake Formation service role needs permission to use your AWS KMS key for encryption operations. Lake Formation uses this role to vend credentials on behalf of principals accessing your tables.
The following KMS key policy example grants the Lake Formation service role permission to use a specific KMS key in your account for encryption operations. Replace the placeholder values with your own.
```
{
"Sid": "AllowTableRoleAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/service-role/S3TablesRoleForLakeFormation"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": ""
}
```
## Granting the S3 Metadata service principal permissions to use your KMS key
To allow Amazon S3 to update SSE-KMS encrypted metadata tables, and perform maintenance on those metadata tables, you can use the following example key policy. In this policy, you allow the `metadata.s3.amazonaws.com` and `maintenance.s3tables.amazonaws.com` service principals to encrypt and decrypt tables in a specific table bucket using a specific key. To use the policy, replace the *user input placeholders* with your own information:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "EnableKeyUsage",
"Effect": "Allow",
"Principal": {
"Service": [
"maintenance.s3tables.amazonaws.com",
"metadata.s3.amazonaws.com"
]
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:s3:arn":"/*"
}
}
}
]
}
```
------
# Specifying server-side encryption with AWS KMS keys (SSE-KMS) in table buckets
All Amazon S3 table buckets have encryption configured by default, and all new tables created in an table bucket are automatically encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) is the default encryption configuration for every table bucket. If you want to specify a different encryption type, you can use server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS).
You can specify SSE-KMS encryption in your `CreateTableBucket` or `CreateTable` requests, or you can set the default encryption configuration in the table bucket in a `PutTableBucketEncryption` request.
**Important**
To allow automatic maintenance on SSE-KMS encrypted tables and table buckets you must grant the maintenance.s3tables.amazonaws.com service principal permission to use your KMS key. For more information, see [Permission requirements for S3 Tables SSE-KMS encryption](s3-tables-kms-permissions.md).
## Specifying encryption for table buckets
You can specify SSE-KMS as the default encryption type when you create a new table bucket, for examples, see [Creating a table bucket](s3-tables-buckets-create.md). After creating a table bucket, you can specify the use of SSE-KMS as the default encryption setting using REST API operations, AWS SDKs, and the AWS Command Line Interface (AWS CLI).
**Note**
When you specify SSE-KMS as the default encryption type, the key you use for encryption must allow access to the S3 Tables maintenance service principal. If the maintenance service principal does not have access, you will be unable to create tables in that table bucket. For more information, see [Granting the S3 Tables maintenance service principal permissions to your KMS key](s3-tables-kms-permissions.md#tables-kms-maintenance-permissions).
### Using the AWS CLI
To use the following example AWS CLI command, replace the *user input placeholders* with your own information.
```
aws s3tables put-table-bucket-encryption \
--table-bucket-arn arn:aws:s3tables:us-east-1:111122223333:bucket/amzn-s3-demo-table-bucket; \
--encryption-configuration '{
"sseAlgorithm": "aws:kms",
"kmsKeyArn": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}' \
--region us-east-1
```
You can remove the default encryption setting for a table bucket using the [DeleteTableBucketEncryption](https://docs.aws.amazon.com/AmazonS3/latest/API/API_s3TableBuckets_DeleteTableBucketEncryption.html) API operation. When you remove encryption settings new tables created in the table bucket will use the default SSE-S3 encryption.
## Specifying encryption for tables
You can apply SSE-KMS encryption to a new table when you create it using query engines, REST API operations, AWS SDKs, and the AWS Command Line Interface (AWS CLI). The encryption settings you specify when creating a table take precedence over the default encryption setting of the table bucket.
**Note**
When you use SSE-KMS encryption for a table the key you use for encryption must allow the S3 Tables maintenance service principal to access it. If the maintenance service principal does not have access, you will be unable to create the table. For more information, see [Granting the S3 Tables maintenance service principal permissions to your KMS key](s3-tables-kms-permissions.md#tables-kms-maintenance-permissions).
****Required permissions****
The following permissions are required to create encrypted tables
+ `s3tables:CreateTable`
+ `s3tables:PutTableEncryption`
## Using the AWS CLI
The following AWS CLI example creates a new table with a basic schema, and encrypts it with a customer managed AWS KMS key. To use the command, replace the *user input placeholders* with your own information.
```
aws s3tables create-table \
--table-bucket-arn "arn:aws:s3tables:Region:ownerAccountId:bucket/amzn-s3-demo-table-bucket" \
--namespace "mydataset" \
--name "orders" \
--format "ICEBERG" \
--encryption-configuration '{
"sseAlgorithm": "aws:kms",
"kmsKeyArn": "arn:aws:kms:Region:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}' \
--metadata '{
"iceberg": {
"schema": {
"fields": [
{
"name": "order_id",
"type": "string",
"required": true
},
{
"name": "order_date",
"type": "timestamp",
"required": true
},
{
"name": "total_amount",
"type": "decimal(10,2)",
"required": true
}
]
}
}
}'
```
Data protection refers to protecting data while it's in transit (as it travels to and from Amazon S3) and at rest (while it's stored on disks in Amazon S3 data centers). S3 Tables always protects data in transit using Transport Layer Security (1.2 and above) through HTTPS. For protecting data at rest in S3 table buckets, you have the following options:
**Server-side encryption with Amazon S3 managed keys (SSE-S3)**
All Amazon S3 table buckets have encryption configured by default. The default option for server-side encryption is with Amazon S3 managed keys (SSE-S3). This encryption comes at no cost to you and applies to all tables in your S3 table buckets unless you specify another form of encryption. Each object is encrypted with a unique key. As an additional safeguard, SSE-S3 encrypts the key itself with a root key that it regularly rotates. SSE-S3 uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
**Server-side encryption with AWS KMS keys (SSE-KMS)**
You can choose to configure table buckets or tables to use server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS). The security controls in AWS KMS can help you meet encryption-related compliance requirements. SSE-KMS gives you more control over your encryption keys by allowing you to do the following:
+ Create, view, edit, monitor, enable or disable, rotate, and schedule deletion of KMS keys.
+ Define the policies that control how and by whom KMS keys can be used.
+ Track key usage in AWS CloudTrail to verify your KMS keys are being used correctly.
S3 Tables supports using customer managed keys in SSE-KMS to encrypt tables. AWS managed keys are not supported. For more information on using SSE-KMS for S3 tables and table buckets, see [Using server-side encryption with AWS KMS keys (SSE-KMS) in table buckets](s3-tables-kms-encryption.md).