S3 Encryption

Object Encryption

Server-Side Encryption (SSE).

  1. Managed with Amazon S3-Managed Keys (SSE-S3) enabled by default.

    • Enryption is AES-256.

    • Can request this encryption by adding "x-amz-server-side-encryption" : "AES256" in request.

    • This would encrypt the object using Amazon S3 owned key. This key is not accessible.

    • Enabled by default for new objects and buckets.

  2. Managed with KMS Keys stored in AWS KMS (SSE-KMS).

    • Should have header "x-amz-server-side-encryption" : "aws:kms" to request this encryption.

    • This would encrypt the object using KMS key stored in AWS.

    • This gives user control over key and audit trail provides access details of the key.

    • This encryption has limitation related to KMS API calls quota limits.

  3. Managed with customer provided Keys (SSE-C).

    • Must use HTTPS for this mode of encryption to work.

    • AWS does not store the key.

    • Key should be passed in HTTPS header.

    • Can only be enabled using APIs or command line.

  4. Dual Layer Server side encryption with AWS KMS (DSSE-KMS).

Client-Side Encryption

  • Client must use some library such as Amazon S3 client-side Encryption Library.

  • Client must encrypt and decrypt the object at client side before sending and after receiving respectively.


  • One can use a bucket policy to enforce S3 objects be accessed only using a SSE encryption policy.

  • Bucket policies are always evaluated before default encryption settings.

  • On changing the encryption setting of the bucket, new version of object is created with new last-modified date.

  • By default S3 Service has a KMS Key created, no charge is levied in this case.


Encryption in Transit (SSL/TLS)

  • AWS S3 exposes two endpoints

    • HTTP endpoint

    • HTTPS endpoint

  • HTTPS endpoint is recommended and provides in-flight request encryption.

  • One can use a bucket policy to enforce S3 objects be accessed using HTTPS endpoint (in-flight encryption condition).

    • Sample policy example, which enforces in-flight encryption when GET request to an object is made for a bucket.

Last updated