Server-Side Encryption (SSE)

  • It is data encryption at rest
  • S3 encrypts data at object level
  • S3 writes encrypted data to AWS and decrypts when accessed
  • Data requests to be authenticated with requisite access permissions

Options for Server-Side Encryption with different encryption keys management

  • SSE with S3-Managed Keys  or SSE-S3 – Every object is encrypted with unique key. The key is further encrypted with a master key which is regularly rotated. It uses AES-256 to encrypt data.
  • SSE with AWS KMS-Managed Keys  or SSE-KMS – Similar to SSE-S3, but has extra charges for KMS. separate permissions for envelope key is needed. Audit trail is provided, detailing key usage. create and manage encryption keys on own as well or use provided default key.
  • SSE with Customer-Provided Keys  or SSE-C – Customer manages encryption keys creation, management and rotation.

Client-side encryption involves data encryption on client’s side before being sent to S3. Following are needed

  • AWS KMS-managed customer master key.
  • client-side master key.
Menu