Transfer customer managed SSE-KMS encrypted objects across AWS accounts and Regions using AWS DataSync

Storage Blog

This article explains how to transfer server-side encrypted (SSE-KMS) objects across AWS accounts and Regions using AWS DataSync while maintaining control over the encryption keys. It covers the prerequisites and steps to configure DataSync, including creating IAM roles, updating KMS key policies, creating DataSync locations and tasks, and verifying the data transfer.

Specifically, the article covers:

Solution overview and encryption options for S3 buckets
Prerequisites for transferring SSE-KMS encrypted data
Steps to create DataSync IAM roles and update KMS key policies
Creating DataSync locations and tasks for the transfer
Verifying the encrypted data transfer
Cleaning up the resources after the proof of concept

Go to article

The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

May 31
2024

Transferring data in Amazon S3 between AWS GovCloud (US) Regions and commercial AWS Regions using AWS DataSync

Oct 15
2025

Migrate encrypted Amazon EC2 instances across AWS Regions without sharing AWS KMS keys

Jul 29
2024

Strengthening data security in AWS Step Functions with a customer-managed AWS KMS key

Sep 23
2025

AWS IAM Identity Center organization instances now support customer-managed KMS keys for encryption at rest

The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Transfer customer managed SSE-KMS encrypted objects across AWS accounts and Regions using AWS DataSync

Related articles