Amazon S3 Express One Zone now supports AWS-KMS with customer managed keys
Amazon S3 Express One Zone now supports server-side encryption with AWS Key Management Service (SSE-KMS) using customer managed keys. By default, S3 Express One Zone encrypts all objects with server-side encryption using S3 managed keys (SSE-S3). With S3 Express One Zone support for customer managed keys, you have more options to encrypt and manage the security of your data. S3 Bucket Keys are always enabled when you use SSE-KMS with S3 Express One Zone, at no additional cost.
With customer managed keys, you can set key policies that govern which IAM roles can decrypt your data and see a full accounting in AWS CloudTrail of the specific keys used to encrypt and decrypt your data. In addition, with S3 Bucket Keys, KMS generates a bucket-level key instead of an individual KMS key for each KMS encrypted object. S3 Express One Zone uses this bucket key to secure unique data keys that are used to encrypt objects in a bucket, avoiding the need for additional KMS requests to complete encryption operations. This results in reduction of request traffic to KMS, allowing you to access encrypted objects in S3 Express One Zone at a fraction of the cost while maintaining the same single-digit millisecond data access.
S3 Express One Zone support for SSE-KMS using customer managed keys is available in all AWS Regions where the storage class is available. Get started with KMS for S3 Express One Zone by using the AWS CLI or AWS SDKs to specify the customer managed key for your S3 directory bucket. To learn more, visit the S3 User Guide and AWS News Blog.