S3 Encryption Overview

S3 supports server side and client side Encryption. Two types of Encryption: In transit, At rest.

Encryption details can be specified while uploading file.


Encryption In Transit (SSL/TLS)

You can securely upload/download your data to Amazon S3 via SSL endpoints using the HTTPS protocol. 


Encryption At Rest

Server Side Encryption

  1. Server side encryption is done before storing and decryption is done while accessing.

  2. Uses AES-256 by default.

  3. Classified based on key management:

    1. S3 Managed Keys – SSE-S3

      1. Provides an integrated solution where Amazon handles key management and key protection using multiple layers of security.

      2. Uses one of the strongest block ciphers available: AES-256.

      3. Should choose SSE-S3 if you prefer to have Amazon manage your keys.

    2. Server side encryption with customer provided keys – SSE-C

      1. S3 perform the encryption and decryption of your objects while you retain control of the keys used to encrypt objects.

      2. Use SSE-C if you want to maintain your own encryption keys, but don’t want to implement or leverage a client-side encryption library.

    3. Using AWS Key Management Service, Managed Keys – SSE-KMS

      1. AWS KMS to manage your encryption keys.

      2. There are separate permissions for the use of the master key, providing an additional layer of control as well as protection against unauthorized access to your objects stored in Amazon S3.

      3. AWS KMS provides an audit trail so you can see who used your key to access which object and when.

      4. AWS KMS provides additional security controls to support customer efforts to comply with PCI-DSS, HIPAA/HITECH, and FedRAMP industry requirements.

Client Side Encryption

  1. Client side encryption is done before uploading.

  2. Using an encryption client library, such as the Amazon S3 Encryption Client, you retain control of the keys and complete the encryption and decryption of objects client-side using an encryption library of your choice.

  3. For customers who prefer full end-to-end control of the encryption and decryption of objects: only encrypted objects are transmitted over the Internet to Amazon S3.


Additional Notes - Encryption

  1. With SSE, every protected object is encrypted with a unique key. This object key is itself encrypted by a separate master key that is stored securely and reissued at least monthly.

  2. The object creation REST APIs provide a request header, x-amz-server-side-encryption that you can use to request server-side encryption. Read more here.


sireesha A's picture


Learn Serverless from Serverless Programming Cookbook


Please first use the contact form or facebook page messaging to connect.

Offline Contact
We currently connect locally for discussions and sessions at Bangalore, India. Please follow us on our facebook page for details.
WhatsApp (Primary): (+91) 7411174113
Phone (Escalations): (+91) 7411174114

Business newsletter

Complete the form below, and we'll send you an e-mail every now and again with all the latest news.


CloudMaterials is my blog to share notes and learning materials on Cloud and Data Analytics. My current focus is on Microsoft Azure and Amazon Web Services (AWS).

I like to write and I try to document what I learn to share with others. I believe that knowledge is useless unless you share it; the more you share, the more you learn.

Recent comments

Photo Stream