I'm considering moving away from my current setup because of costs. I have a static site that's served through an S3 origin via CloudFront, and I'm trying to understand the implications of using a bucket key. I've been led to believe that the key policy for the bucket can't be edited, which results in significant decryption costs. I've spent hours trying to get the bucket key to work but so far, no luck. Am I missing something here?
2 Answers
You're on the right track, but there are some important points to note. S3 has two encryption options: SSE-S3 (which is free and uses AWS-managed keys by default) and SSE-KMS (which comes with costs due to using keys you manage). For a static site, you might not even need SSE-KMS—SSE-S3 might be your best bet without incurring extra fees. Also, make sure you're utilizing the newer OAC (Origin Access Control) feature with CloudFront as it supports SSE-KMS, unlike the older OAI method. It seems like bucket keys should work if everything is set up correctly with OAC.
It sounds like you're facing a common issue. Many users have difficulty getting SSE-KMS to work due to the configuration needed. If you're stuck with KMS errors, double-check your IAM permissions and policies. As for your concern about bucket keys, SSE-S3 does work by default, so you might want to try that and see if it meets your needs without the extra costs.
That's good advice! I stumbled on an article that explains OAC's benefits, and it definitely sounds like SSE-S3 could save you a lot of headaches. Good luck, and let us know how it goes when you create everything from scratch!