Server-Side Encryption
Protecting data using server-side encryption
The most commonly used Server-Side Encryption configuration is SSE-S3.
With SSE-S3 encryption is enabled, AWS S3 uses an account & region specific S3 service Master Key to generate an AES-256 Data Key. This Data Key is used to encrypt & decrypt data. The Data Key itself is protected by encrypting it with the Master Key and is stored along with the data. Therefore, a Master Key is required to decrypt a Data Key in order to decrypt the data. Access to a Master Key will enable data object decryption.
In the SSE-S3 mode, the account’s S3 service Master Key in KMS is used to generate the Data Key. Therefore, users with access credential to the S3 account have access to the Master Key. When a user retrieves objects, they are decrypted on the fly and provided in clear text. S3 manages Data Key handling and storage behind the scenes, making it all very seamless.
SSE-KMS adds a layer of security. With KMS AWS permits attaching a resource policy to the key. The policy defines who has access to a Master Key and for what purpose.
Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS) is similar to SSE-S3, but with some additional benefits and charges for using this service. There are separate permissions for the use of a CMK that provides added protection against unauthorized access of your objects in Amazon S3. SSE-KMS also provides you with an audit trail that shows when your CMK was used and by whom. Additionally, you can create and manage customer managed CMKs or use AWS managed CMKs that are unique to you, your service, and your Region. For more information, see Protecting Data Using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS).
For more information, see Protecting Data Using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS).
The third option for S3 server-side encryption is SSE-C. With Server-Side Encryption Customer-Provided Keys (SSE-C), the client manages the encryption keys and Amazon S3 manages the encryption. AWS encrypts as it writes objects to storage and decryption, when objects are accessed. Keys are not stored on AWS.
With Server-Side Encryption Customer-Provided Keys (SSE-C), the client manages the encryption keys and Amazon S3 manages the encryption. AWS encrypts as it writes objects to storage and decryption, when objects are accessed. Keys are not stored on AWS.
Last updated
