Skip to content
Gallery
6. AWS Simple Storage Service (S3)
AWS S3
Storage Classes
Access and Access Policies in Amazon S3
Multipart Upload
Transfer Acceleration
Pre-signed URLs
S3 Versioning
Object Lifecycle Management
S3 Encryption
Event Notifications
S3 Replication
S3 Access Points
Misc
More
Share
Explore

icon picker
S3 Encryption

You can securely upload/download your data to Amazon S3 via SSL endpoints using the HTTPS protocol (In Transit – SSL/TLS).
Encryption options:
Encryption options
Column 1
Column 2
1
Encryption Option
How It Works
2
SSE-S3
Use S3’s existing encryption key for AES-256
3
SSE-C
Upload your own AES-256 encryption key which S3 uses when it writes objects
4
SSE-KMS
Use a key generated and managed by AWS KMS
5
Client Side
Encrypt objects using your own local encryption process before uploading to S3
There are no rows in this table

Server-side encryption

Server-side encryption protects data at rest.
Amazon S3 encrypts each object with a unique key.
As an additional safeguard, it encrypts the key itself with a master key that it rotates regularly.
Amazon S3 server-side encryption uses one of the strongest block ciphers available to encrypt your data, 256-bit Advanced Encryption Standard (AES-256).
If you need server-side encryption for all the objects that are stored in a bucket, use a bucket policy.
To request server-side encryption using the object creation REST APIs, provide the x-amz-server-side-encryption request header.
Note: You need the kms:Decrypt permission when you upload or download an Amazon S3 object encrypted with an AWS Key Management Service (AWS KMS) customer master key (CMK), and that is in addition to kms:ReEncrypt, kms:GenerateDataKey, and kms:DescribeKey permissions.

There are three options for using server-side encryption: SSE-S3, SSE-KMS and SSE-C. These are detailed below,

SSE-S3 – Server-Side Encryption with S3 managed keys

When you use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key.
As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates.
Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
Each object is encrypted with a unique key.
Encryption key is encrypted with a master key.
AWS regularly rotate the master key.
Uses AES 256.

SSE-KMS – Server-Side Encryption with AWS KMS keys

Server-Side Encryption with Customer Managed Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS) is like SSE-S3, but with some additional benefits and charges for using this service.
There are separate permissions for the use of a CMK that provides added protection against unauthorized access of your objects in Amazon S3.
SSE-KMS also provides you with an audit trail that shows when your CMK was used and by whom.
Additionally, you can create and manage customer managed CMKs or use AWS managed CMKs that are unique to you, your service, and your Region.
KMS uses Customer Managed Keys (CMKs) to encrypt.
Can use the automatically created CMK key.
OR you can select your own key (gives you control for management of keys).
An envelope key protects your keys.
Chargeable.
image.png

SSE-C – Server-Side Encryption with client provided keys

With Server-Side Encryption with Customer-Provided Keys (SSE-C), you manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption, when you access your objects.
Client manages the keys, S3 manages encryption.
AWS does not store the encryption keys.
If keys are lost data cannot be decrypted.
When using server-side encryption with customer-provided encryption keys (SSE-C), you must provide encryption key information using the following request headers:
x-amz-server-side​-encryption​-customer-algorithm – Use this header to specify the encryption algorithm. The header value must be “AES256”.
x-amz-server-side​-encryption​-customer-key – Use this header to provide the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
x-amz-server-side​-encryption​-customer-key-MD5 – Use this header to provide the base64-encoded 128-bit MD5 digest of the encryption key according to
RFC 1321
. Amazon S3 uses this header for a message integrity check to ensure that the encryption key was transmitted without error.
image.png

Client-side encryption

This is the act of encrypting data before sending it to Amazon S3.
To enable client-side encryption, you have the following options:
Use a customer master key (CMK) stored in AWS Key Management Service (AWS KMS).
Use a master key you store within your application.

Option 1. Use a customer master key (CMK) stored in AWS Key Management Service (AWS KMS)

When uploading an object—Using the customer master key (CMK) ID, the client first sends a request to AWS KMS for a CMK that it can use to encrypt your object data. AWS KMS returns two versions of a randomly generated data key:
A plaintext version of the data key that the client uses to encrypt the object data.
A cipher blob of the same data key that the client uploads to Amazon S3 as object metadata.
When downloading an object—The client downloads the encrypted object from Amazon S3 along with the cipher blob version of the data key stored as object metadata. The client then sends the cipher blob to AWS KMS to get the plaintext version of the data key so that it can decrypt the object data.

Option 2. Use a master key you store within your application

When uploading an object—You provide a client-side master key to the Amazon S3 encryption client. The client uses the master key only to encrypt the data encryption key that it generates randomly. The process works like this:
The Amazon S3 encryption client generates a one-time-use symmetric key (also known as a data encryption key or data key) locally. It uses the data key to encrypt the data of a single Amazon S3 object. The client generates a separate data key for each object.
The client encrypts the data encryption key using the master key that you provide. The client uploads the encrypted data key and its material description as part of the object metadata. The client uses the material description to determine which client-side master key to use for decryption.
The client uploads the encrypted data to Amazon S3 and saves the encrypted data key as object metadata (x-amz-meta-x-amz-key) in Amazon S3.
When downloading an object—The client downloads the encrypted object from Amazon S3. Using the material description from the object’s metadata, the client determines which master key to use to decrypt the data key. The client uses that master key to decrypt the data key and then uses the data key to decrypt the object.

Encryption options
Server-side encryption
SSE-S3 – Server-Side Encryption with S3 managed keys
SSE-KMS – Server-Side Encryption with AWS KMS keys
SSE-C – Server-Side Encryption with client provided keys
Client-side encryption
Option 1. Use a customer master key (CMK) stored in AWS Key Management Service (AWS KMS)
Option 2. Use a master key you store within your application
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.