1
00:00:00,770 --> 00:00:03,300
‫So now let's talk about a cool new settings

2
00:00:03,300 --> 00:00:07,430
‫for your S3 Buckets using it with SSE-KMS encryption.

3
00:00:07,430 --> 00:00:08,440
‫And this is a new setting

4
00:00:08,440 --> 00:00:11,070
‫which will allow you to decrease and wait for it.

5
00:00:11,070 --> 00:00:15,070
‫The number of API calls made to KMS from Amazon S3

6
00:00:15,070 --> 00:00:20,070
‫when you use the SSE-KMS type of encryption by 99%.

7
00:00:20,140 --> 00:00:24,240
‫Which will reduce the cost of your overall KMS encryption

8
00:00:24,240 --> 00:00:27,750
‫used by Amazon S3 by also 99%.

9
00:00:27,750 --> 00:00:28,930
‫And how does this work?

10
00:00:28,930 --> 00:00:30,840
‫Well, this leverages data key

11
00:00:30,840 --> 00:00:32,160
‫and more importantly,

12
00:00:32,160 --> 00:00:35,390
‫this thing called an S3 bucket key.

13
00:00:35,390 --> 00:00:36,600
‫So how does that work?

14
00:00:36,600 --> 00:00:39,470
‫Well, a customer master key and KMS

15
00:00:39,470 --> 00:00:41,480
‫is going to be used to generate

16
00:00:41,480 --> 00:00:44,400
‫a data key for your Amazon S3 Bucket once in a while

17
00:00:44,400 --> 00:00:45,580
‫and this key will rotates.

18
00:00:45,580 --> 00:00:47,570
‫But, once in a while and this key's called

19
00:00:47,570 --> 00:00:49,920
‫an Amazon S3 Bucket key.

20
00:00:49,920 --> 00:00:54,460
‫And this key is what's going to be used to encrypt objects

21
00:00:54,460 --> 00:00:57,720
‫in your Amazon S3 Buckets with KMS encryption.

22
00:00:57,720 --> 00:01:00,840
‫So this extra bucket key is going to generate

23
00:01:00,840 --> 00:01:04,050
‫a lot of data keys using envelope encryption

24
00:01:04,050 --> 00:01:08,140
‫which is going to go into encrypting your S3 Buckets.

25
00:01:08,140 --> 00:01:10,350
‫But by adding an S3 Bucket key

26
00:01:10,350 --> 00:01:12,010
‫and not using KMS directly

27
00:01:12,010 --> 00:01:13,800
‫to generate these data keys,

28
00:01:13,800 --> 00:01:15,370
‫we are reducing the number

29
00:01:15,370 --> 00:01:17,660
‫of API calls we are making into KMS.

30
00:01:17,660 --> 00:01:21,830
‫And therefore, we are reducing our costs by a lot.

31
00:01:21,830 --> 00:01:23,580
‫And so this is an optimization

32
00:01:23,580 --> 00:01:26,320
‫of using SSE-KMS to decrease the number

33
00:01:26,320 --> 00:01:28,520
‫of KMS API calls in order,

34
00:01:28,520 --> 00:01:30,520
‫for example, not to have a high bill

35
00:01:30,520 --> 00:01:32,830
‫or not to go over the limits of encryption

36
00:01:32,830 --> 00:01:34,630
‫within your Amazon S3 Buckets

37
00:01:34,630 --> 00:01:37,360
‫but without compromising on security.

38
00:01:37,360 --> 00:01:39,280
‫The result of that is that you will see

39
00:01:39,280 --> 00:01:43,470
‫less CloudTrail events regarding KMS in CloudTrail.

40
00:01:43,470 --> 00:01:45,390
‫And also, you will have

41
00:01:45,390 --> 00:01:48,410
‫a way way lower costs as I said in KMS.

42
00:01:48,410 --> 00:01:49,990
‫So that's it for this lecture.

43
00:01:49,990 --> 00:01:51,680
‫A very good setting to know,

44
00:01:51,680 --> 00:01:54,350
‫especially if you use SSE-KMS at Scale

45
00:01:54,350 --> 00:01:55,770
‫were very high for both.

46
00:01:55,770 --> 00:01:57,290
‫Now let me show you where you can find

47
00:01:57,290 --> 00:02:00,360
‫that setting in the S3 Console.

48
00:02:00,360 --> 00:02:02,110
‫So let's go into the S3 Console

49
00:02:03,330 --> 00:02:05,520
‫and I'm going to create a new buckets.

50
00:02:05,520 --> 00:02:07,550
‫So I'm going to create a buckets

51
00:02:07,550 --> 00:02:08,736
‫and I'll call it,

52
00:02:08,736 --> 00:02:13,410
‫(keyboard typing)
‫Demo S3 Buckets key.

53
00:02:13,410 --> 00:02:14,350
‫Okay?

54
00:02:14,350 --> 00:02:15,790
‫Then we'll block, public settings.

55
00:02:15,790 --> 00:02:17,540
‫We'll disable, versioning.

56
00:02:17,540 --> 00:02:19,680
‫We'll enable, encryption.

57
00:02:19,680 --> 00:02:22,490
‫And it's going to be SSE-KMS,

58
00:02:22,490 --> 00:02:24,273
‫and it's going to be managed key.

59
00:02:24,273 --> 00:02:25,106
‫(mouse clicking)

60
00:02:25,106 --> 00:02:26,700
‫And we are going to enable, bucket keys.

61
00:02:26,700 --> 00:02:28,070
‫So by default, it is enabled now,

62
00:02:28,070 --> 00:02:28,903
‫but we could disable it

63
00:02:28,903 --> 00:02:32,020
‫if we wanted to get every single upload to talk to KMS.

64
00:02:32,020 --> 00:02:33,050
‫But, if you want to enable it

65
00:02:33,050 --> 00:02:34,540
‫we'll just click on enable.

66
00:02:34,540 --> 00:02:37,550
‫And this will use the bucket key to decrease the cost

67
00:02:37,550 --> 00:02:39,570
‫and the number of calls made to KMS

68
00:02:39,570 --> 00:02:41,870
‫without losing any security.

69
00:02:41,870 --> 00:02:42,870
‫So fairly easy,

70
00:02:42,870 --> 00:02:44,520
‫then we create the buckets

71
00:02:44,520 --> 00:02:45,710
‫and we're good to go.

72
00:02:45,710 --> 00:02:48,190
‫And we're now using the bucket key

73
00:02:48,190 --> 00:02:51,020
‫for encryption into our S3 Buckets.

74
00:02:51,020 --> 00:02:53,393
‫So that's it, I will see you in the next lecture.