Simple Notification Service (SNS)
Kinesis + MQ
Databases & Analytics
Server-Side Encryption
  • Server-side encryption is the encryption of data at its destination by the application or service that receives it.
  • S3 encrypts your data at the object level as it writes it to disks in its data centres and decrypts it for you when you access it.
  • As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects.
  • You can't apply different types of server-side encryption to the same object simultaneously.

Server-side encryption with Amazon S3-managed encryption keys (SSE-S3)

  • Each object is encrypted with a unique key.
    • It also encrypts the key itself with a master key that it regularly rotates.
  • It uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
  • If you need server-side encryption for all of the objects that are stored in a bucket, use a bucket policy.
  • Must set the following header:
    • s3:x-amz-server-side-encryption": "AES256

Server-side encryption using AWS KMS CMKs (SSE-KMS)

  • Similar to SSE-S3, but with some additional benefits and charges for using this service.
  • Amazon S3 uses AWS KMS customer master keys (CMKs) to encrypt your Amazon S3 objects.
  • SSE-KMS provides you with an audit trail that shows when your CMK was used and by whom.
  • You create and manage customer managed CMKs or use AWS managed CMKs that are unique to you, your service, and your Region.
  • AWS KMS is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud.
  • AWS KMS encrypts only the object data.
    • Any object metadata is not encrypted.
  • When you use SSE-KMS encryption with an S3 bucket, the AWS KMS CMK must be in the same Region as the bucket.
  • Must set the following header:
    • s3:x-amz-server-side-encryption":"aws:kms

Server-Side Encryption with Customer-Provided Keys (SSE-C)

  • You manage the encryption keys and S3 manages the encryption, as it writes to disks, and decryption, when you access your objects.
  • Server-side encryption encrypts only the object data.
    • Not object metadata.
  • Using SSE-C allows you to set your own encryption keys.
  • With the encryption key you provide as part of your request, S3 manages the encryption as it writes to disks and decryption when you access your objects.
  • Therefore, you don't need to maintain any code to perform data encryption and decryption.
  • The only thing you do is manage the encryption keys you provide.
  • You must use HTTPS.