Overview of S3 Encryption Mechanisms
1 min readJul 20, 2021
Server-Side Encryption with S3 managed keys(SSE-S3)
- Requires minimal configuration
- Management of encryption keys managed by AWS
- All you need to do is to upload your data and S3 will handle all other aspects
Server-Side Encryption with KMS managed keys(SSE-KMS)
- Allow S3 to use the Key Management Service to generate data encryption keys
- Gives greater flexibility of key management: disable, rotate, and apply access controls to the CMK
Server-Side Encryption with Customer provider keys(SSE-C)
- Gives you the opportunity to provide your own Master keys
- Your customer provided key would be sent with your data to S3, where S3 would then perform the encryption for you
Client-Side Encryption with KMS managed keys(CSE-KMS)
- Uses the Key Management Service to generate data encryption keys
- KMS is called upon via the client, not S3
- Encryption takes place client-side and the encrypted data is then sent to S3
Client-Side Encryption with Customer provided keys(CSE-C)
- You are able to utilize your own provided keys
- Use an AWS SDK client to encrypt your data before sending it to S3 for storage