S3 Encryption

Server side encryption refers to encrypting data in S3 at rest. S3 does the encryption and decryption of the objects when the user uploads the objects or accesses it. There is no difference for the end user regardless of whether encrypted or uncrypted objects are uploaded or accessed. There are three different ways to encrypt objects in S3. Note that objects can only be encrypted in one of the following methods - that is multiple methods cannot be used for encryption.

Server side encryption with S3 managed keys (SSE-S3)

S3 encrypts each object with a unique key and the key itself is encrypted with a master key which is regularly rotated. SSE-S3 uses AES-256 (256-bit Advanced Encryption Standard) to encrypt data.

Server side encryption with AWS-KMS managed keys (SSE-KMS)

SSE-KMS is similar to SS3-S3 but there is an additional key to protect the encryption key.

Server side encryption with customer managed keys (SSE-C)

The customer manages the encryption keys and S3 manages encryption and decryption of the objects.