Amazon Web Services’ Simple Storage Service, known as S3, will now allow users to provide their own keys for server-side encryption.
The new feature is accessible via the S3 APIs, and users have to supply their own encryption key as part of a PUT and S3 will complete the process.
Writing on the Amazon Web Services blog, Amazon said: "You now have a choice – you can use the existing server-side encryption model and let AWS manage your keys, or you can manage your own keys and benefit from all of the other advantages offered by server-side encryption.
"You now have the option to store data in S3 using keys that you manage, without having to build, maintain, and scale your own client-side encryption fleet, as many of our customers have done in the past."
Last week, Amazon came under attack for continued use of the Linux encryption tool TrueCrypt for sending data back and forth between Amazon Web Services.
The developers of TrueCrypt renounced the service in May, claiming that "using TrueCrypt is not secure as it may contain unfixed security issues".
Amazon said in a statement: "AWS Import/Export is the only AWS service that uses TrueCrypt, but AWS is aware of the statement on the TrueCrypt website and continues to monitor closely."
Still, the timely arrival of this announcement from Amazon shows that improved key management is becoming a major focus area for cloud services. The new BYOK (Bring your own Key) service will use AES-256 encryption, create a one-way hash of the key, and then expeditiously remove the key from memory. It will return the checksum as part of the response, and will also store the checksum with the object.