Secure data in a multi-tenant environment by automatically enforcing prefix-level encryption keys in Amazon S3
Storage Blog
The article discusses a solution to securely store and isolate data from multiple tenants in a single Amazon S3 bucket. It uses different customer-managed AWS KMS keys to encrypt objects based on their prefix in the bucket, ensuring that data from each tenant is encrypted with a separate key.
Specifically, the article covers:
- Overview of the solution architecture using Lambda, S3 Event Notifications, DynamoDB, SQS, and CloudWatch
- Prerequisites and steps to deploy the solution using AWS CDK
- Demo of the solution showcasing how objects are automatically re-encrypted with the correct KMS key for their prefix
- Additional considerations and caveats, such as object size limitations and handling of S3 Versioning
- Conclusion highlighting the benefits of the solution in maintaining data isolation and security in a multi-tenant environment
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Oct 13
2025
2025
Secure customer resource access in multi-tenant SaaS with Amazon VPC Lattice
Aug 21
2025
2025
Simplify multi-tenant encryption with a cost-conscious AWS KMS key strategy
Jan 29
2025
2025
Design patterns for multi-tenant access control on Amazon S3
Jan 16
2025
2025
Preventing unintended encryption of Amazon S3 objects
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.