You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Protecting data at rest and in transit is a fundamental responsibility when using Amazon S3. AWS provides multiple encryption options, replication features, and additional safeguards to help you meet security and compliance requirements.
S3 supports four methods of server-side and client-side encryption:
| Method | Key Management | Description |
|---|---|---|
| SSE-S3 | Amazon manages keys | Default encryption. S3 encrypts each object with a unique AES-256 key, which is itself encrypted with a regularly rotated root key. |
| SSE-KMS | AWS KMS manages keys | Uses a KMS customer master key (CMK). Provides an audit trail in CloudTrail and allows you to control key rotation and access. |
| DSSE-KMS | AWS KMS (dual-layer) | Applies two layers of encryption using KMS keys. Designed for workloads requiring CNSA (Commercial National Security Algorithm) compliance. |
| SSE-C | Customer provides keys | You supply the encryption key with each request. S3 performs the encryption but does not store your key. |
| Client-side | Customer manages everything | You encrypt data before uploading. S3 stores the ciphertext and has no knowledge of the keys. |
Since January 2023, all new objects uploaded to S3 are automatically encrypted with SSE-S3 by default. You do not need to configure anything — every object is encrypted at rest.
You can override the default to use SSE-KMS:
aws s3api put-bucket-encryption \
--bucket my-bucket \
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "arn:aws:kms:eu-west-2:123456789012:key/abcd-1234"
},
"BucketKeyEnabled": true
}]
}'
When using SSE-KMS, enabling S3 Bucket Keys reduces the number of calls to KMS by using a bucket-level key for a short period. This can reduce KMS costs by up to 99%.
With SSE-C, you provide the key in the request headers:
aws s3api put-object \
--bucket my-bucket \
--key secret-data.txt \
--body secret-data.txt \
--sse-customer-algorithm AES256 \
--sse-customer-key $(cat my-key.b64) \
--sse-customer-key-md5 $(cat my-key-md5.b64)
You must provide the same key for every GET request. If you lose the key, the data is irrecoverable.
S3 supports HTTPS (TLS 1.2+) for all API endpoints. You can enforce encrypted transit by adding a bucket policy that denies requests made over plain HTTP:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyHTTP",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"Bool": { "aws:SecureTransport": "false" }
}
}
]
}
Object Lock prevents objects from being deleted or overwritten for a fixed retention period or indefinitely. It supports write-once-read-many (WORM) workloads.
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.