S3 Data Encryption

• Data protection refers to protecting data while in-transit and at rest.

• You can protect data in transit using SSL/TLS or client-side encryption.

• You have the following options for protecting data at rest in S3:

  • Server-Side Encryption:

    • Request S3 to encrypt your object before saving it on disks in its data centres and then decrypt it when you download the objects.

  • Client-Side Encryption:

    • Encrypt data client-side and upload the encrypted data to S3. In this case, you manage the encryption process, the encryption keys, and related tools.

Server-side Encryption

Server-side Encryption with S3-managed encryption keys (SSE-S3)

• Each object is encrypted with a unique key.

• As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates.

• It uses one of the strongest block ciphers available, AES-256, to encrypt your data.

Server-side Encryption using KMS CMKs (SSE-KMS)

• It is similar to SSE-S3, but with some additional benefits and charges for using this service.

• There are separate permissions for the use of a CMK that provides added protection against unauthorized access of your objects in S3.

• It also provides you with an audit trail that shows when your CMK was used and by whom.

• You can create and manage customer managed CMKs or use AWS managed CMKs that are unique to you, your service, and your Region.

Server-side Encryption with customer-provided encryption keys (SSE-C)

• The customer manages the encryption keys and S3 manages the encryption, as it writes to disks, and decryption, when you access your objects.

Client-side Encryption

• To enable client-side encryption, you have the following options:

  • Use a KMS CMK.

  • Use a master key that you store within your application.