Enhanced AWS S3 Encryption Support
Starting with MarkLogic Server 9.0-8, Amazon AWS S3 support with encryption is built into MarkLogic Server as an available file system or a storage location for backup/restore. When MarkLogic Server writes or updates objects on AWS S3, it can use the AWS KMS server-side encryption to protect data. You can choose the encryption method by GUI or API.
To use the AWS KMS key to encrypt data that will be stored on AWS S3, specify which key to be used to encrypt. You can do this using the Admin Interface or by using the admin:group-set-s3-server-side-encryption-kms-key API. To find the S3 encryption key (if it has already been set) use the admin:group-set-s3-server-side-encryption-kms-key API.
To set the AWS KMS in the MarkLogic Server Admin Interface, navigate to Groups Configuration page. Scroll down to the S3 protocol configuration field. Select https as the s3 protocol and aws:kms as the s3 server-side encryption. Paste the s3 server-side encryption kms key into the field.
Configure the external KMS keys as shown in the previous section.