Overview of S3 Encryption Mechanisms

Server-Side Encryption with S3 managed keys(SSE-S3)

  • Requires minimal configuration
  • Management of encryption keys managed by AWS
  • All you need to do is to upload your data and S3 will handle all other aspects

Server-Side Encryption with KMS managed keys(SSE-KMS)

  • Allow S3 to use the Key Management Service to generate data encryption keys
  • Gives greater flexibility of key management: disable, rotate, and apply access controls to the CMK

Server-Side Encryption with Customer provider keys(SSE-C)

  • Gives you the opportunity to provide your own Master keys
  • Your customer provided key would be sent with your data to S3, where S3 would then perform the encryption for you

Client-Side Encryption with KMS managed keys(CSE-KMS)

  • Uses the Key Management Service to generate data encryption keys
  • KMS is called upon via the client, not S3
  • Encryption takes place client-side and the encrypted data is then sent to S3

Client-Side Encryption with Customer provided keys(CSE-C)

  • You are able to utilize your own provided keys
  • Use an AWS SDK client to encrypt your data before sending it to S3 for storage
Nadtakan Futhoem — Sr. Software Engineer

Founder of Nadtakan.com & Serverless Cloud developer. Follow me on Twitter https://twitter.com/NadtakanF