You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Protecting data at rest and in transit is a fundamental responsibility when using Amazon S3. AWS provides multiple encryption options, replication features, and additional safeguards to help you meet security and compliance requirements.
S3 supports four methods of server-side and client-side encryption:
| Method | Key Management | Description |
|---|---|---|
| SSE-S3 | Amazon manages keys | Default encryption. S3 encrypts each object with a unique AES-256 key, which is itself encrypted with a regularly rotated root key. |
| SSE-KMS | AWS KMS manages keys | Uses a KMS customer master key (CMK). Provides an audit trail in CloudTrail and allows you to control key rotation and access. |
| DSSE-KMS | AWS KMS (dual-layer) | Applies two layers of encryption using KMS keys. Designed for workloads requiring CNSA (Commercial National Security Algorithm) compliance. |
| SSE-C | Customer provides keys | You supply the encryption key with each request. S3 performs the encryption but does not store your key. |
| Client-side | Customer manages everything | You encrypt data before uploading. S3 stores the ciphertext and has no knowledge of the keys. |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.