An AWS-specific feature allows you to use a key managed by the AWS Key Management System. These are referred to as KMS-managed keys. KMS-managed keys can be created from the AWS Web Console and can be limited, if desired, to a subset of the users of an account, allowing extra security. To write to an S3 object at AWS using a KMS-managed key, specify S3Sse=kms and KmsKeyId=<id of the key you want to use>. It is not necessary to specify S3Sse or KmsKeyId when reading. If the user has access to the needed key, the read will succeed.