Question: Do server-side encrypted (with S3 managed or KMS managed keys) files get transitioned to Glacier ? If yes, are they decrypted using S3 or KMS key and then encrypted again using Glacier's internal key as all objects in Glacier are encrypted using an internal AES 256 keys ?
Problem statement: I have some files in S3 encrypted using KMS managed key. I have a lifecycle rule to archive to Glacier after 1 day, but the files still show Storage class as 'Standard' even after 3 days.
I checked in AWS docs and forums, but could not find a direct answer to this question.
But what I found was, even the CRR does not handle SSE-C and SSE-KMS encrypted objects (under what is not replicated section). Hence I would assume the transition rule also cannot handle SSE-C and SSE-KMS encrypted files as Glacier supports only AES-256 encryption.
There is nothing in the documentation to suggest that storage class changes from lifecycle policies are incompatible with SSE-KMS.
On archive, S3 objects are moved as is (in SSE-KMS encrypted form) to Glacier, encrypted by Glacier again. View Thread RSS Feed View Thread RSS Feeds
— susan@aws https://forums.aws.amazon.com/thread.jspa?messageID=786916
S3 apparently does not decrypt and re-encrypt, but rather appears to simply encrypt the encrypted version of the object again, so SSE-C should also be compatible.
Note that lifecycle policies require between up to 24 hours before they actually begin transitioning objects, and new objects will match a "1 day" rule between 24 and 48 hours after the object's initial creation.
If there is a large number of objects, you might want to use aws-cli to try to see if any objects have migrated.
aws s3api list-objects [options] --output-format=text | grep GLACIER
My lifecycle rules had filename-specific prefix like 'com/folder-name/Daily-'. I created new lifecycle rules so that they end with last parent folder-name and a trailing slash 'com/folder-name/'.
After this change and waiting for 24+ hours, both un-encrypted and SSE-kms encrypted files got transitioned to Amazon Glacier.
After transition, I do understand they both got encrypted internally using Glacier managed keys as documented in this FAQ. https://aws.amazon.com/glacier/faqs/#security .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.