# S3 Encryption ## Object Encryption ### Server-Side Encryption 1. Managed with Amazon S3-Managed Keys *(SSE-S3)* enabled by default. * Enryption is `AES-256`. * Can request this encryption by adding `"x-amz-server-side-encryption" : "AES256"` in request. * This would encrypt the object using Amazon S3 owned key. This key is not accessible. * Enabled by default for new objects and buckets. 2. Managed with KMS Keys stored in AWS KMS *(SSE-KMS)*. * Should have header `"x-amz-server-side-encryption" : "aws:kms"` to request this encryption. * This would encrypt the object using KMS key stored in AWS. * This gives user control over key and audit trail provides access details of the key. * This encryption has limitation related to KMS API calls quota limits. 3. Managed with customer provided Keys *(SSE-C)*. * **Must use HTTPS for this mode of encryption to work**. * AWS does not store the key. * Key should be passed in HTTPS header. * Can only be enabled using APIs or command line. 4. Dual Layer Server side encryption with AWS KMS *(DSSE-KMS)*. * One can use a bucket policy to enforce S3 objects be accessed only using a `SSE` encryption policy. * **Bucket policies are always evaluated before default encryption settings**. * On changing the encryption setting of the bucket, new version of object is created with new last-modified date. * By default S3 Service has a KMS Key created, no charge is levied in this case. ### Client-Side Encryption * Client must use some library such as Amazon S3 client-side Encryption Library. * Client must encrypt and decrypt the object at client side before sending and after receiving respectively. ## Encryption in Transit *(SSL/TLS)* * AWS S3 exposes two endpoints * `HTTP` endpoint * `HTTPS` endpoint * `HTTPS` endpoint is recommended and provides in-flight request encryption. * One can use a bucket policy to enforce S3 objects be accessed using HTTPS endpoint *(in-flight encryption condition)*. * Sample policy example, which enforces in-flight encryption when GET request to an object is made for a bucket. ![In flight encryption policy](/files/e6GEeV84ohhz7PYU9VjE) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://anon-coders-notes.gitbook.io/techwriterdev/cloud/aws/developerassociate/services/09_s3/02_encryption.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.