Encryption

S3 offers two primary types of encryption: SSE and CSE. They can both support BYOKs and AWS-managed keys.

SSE

SSE is the most straightforward of the two, where data is encrypted at rest within the S3 bucket. S3 offers different SSE options:

• SSE-S3: This uses the default AWS managed key for S3 (aws/s3) to encrypt objects stored in S3. While it is the simplest to set up, it does not offer any level of control over the encryption key.
• SSE-KMS: This uses your KMS CMK for more granular control over the keys used to encrypt objects stored in S3.
• DSSE-KMS: This applies two layers of encryption to encrypt objects stored in S3. It is particularly useful for compliance standards that require multilayer encryption.
• SSE-C: This is where you provide the encryption key as part of your API request to S3. While AWS handles the encryption and decryption process, the key management resides with you.

SSE-KMS and DSSE-MKS are often the go-to choices for SSE when compliance requirements dictate a need for key management features like audit trails. They also allow for easy integration with other AWS services that are KMS-aware.

CSE

CSE is when data is encrypted on the client side before being uploaded to S3. This method provides the highest level of control over encryption keys but also places the most responsibility on you to perform encryption and manage those keys securely. AWS provides an S3 Encryption Client, which is a dedicated library that handles encryption on the client side. The AWS S3 Encryption Client is different from the AWS Encryption SDK as it is more integrated with S3. The S3 Encryption Client offers two CSE options:

• CSE-KMS: Similar to SSE-KMS but the encryption happens client-side using your KMS CMK
• CSE-C: Here, you manage the entire encryption process on the client side, including key management, which provides the highest level of control

CSE is often used in scenarios where there are stringent regulatory requirements around data encryption, or when there is a need for custom encryption algorithms not supported by SSE.