S3 Bucket Key
An S3 feature that reduces KMS API calls by up to 99% by caching encryption key material at the bucket level rather than making individual KMS requests per object. Now the primary encryption path as AWS phases out SSE-C for new buckets starting April 2026.
Summary
An S3 feature that reduces KMS API calls by up to 99% by caching encryption key material at the bucket level rather than making individual KMS requests per object. Now the primary encryption path as AWS phases out SSE-C for new buckets starting April 2026.
For S3 workloads with mandatory SSE-KMS encryption (common in regulated industries), Bucket Keys remove the KMS request-rate bottleneck that otherwise limits throughput during high-volume operations like bulk ingestion or compaction. With the SSE-C phase-out (designed to prevent ransomware actors from encrypting victim data with attacker-held keys), Bucket Keys and KMS-based encryption are now the defensive standard.
- Bucket Keys change the request pattern visible in CloudTrail. KMS logs show bucket-level key requests instead of per-object requests, which can affect audit workflows.
- Not supported by all legacy S3 clients. Verify client library compatibility before enabling.
- The SSE-C phase-out affects new buckets first (April 2026). Existing buckets using SSE-C should plan migration to SSE-KMS with Bucket Keys.
depends_onAWS S3 — AWS-specific featurescoped_toS3, Object Storage
Definition
An S3 feature that reduces the number of AWS KMS API calls by associating a bucket-level encryption key that is used to generate data keys for objects, rather than making a separate KMS request for every object operation.
S3 workloads with server-side encryption using KMS (SSE-KMS) can generate enormous volumes of KMS API calls, hitting rate limits and incurring significant costs at scale. Bucket Keys reduce KMS request volume by up to 99% by caching the key material at the bucket level. Starting April 2026, AWS disables SSE-C (Server-Side Encryption with Customer-Provided Keys) for new buckets by default to prevent ransomware syndicates from encrypting victim data with attacker-held keys, making KMS-based encryption via Bucket Keys the primary defensive standard.
Cost and rate optimization for SSE-KMS encrypted S3 buckets, high-throughput encrypted data lake operations, compliance-mandated encryption without KMS bottlenecks, migration target for SSE-C phase-out.
Connections 3
Outbound 3
scoped_to2depends_on1Resources 2
AWS documentation explaining how S3 Bucket Keys reduce KMS API calls and costs for SSE-KMS encrypted buckets.
Security best practices for S3 including Bucket Key configuration and encryption cost optimization.