Articles → AWS → AWS S3 Encryption

AWS S3 Encryption

In this article, we will discuss AWS S3 encryption.

Types Of Encryptions

There are 2 types of encryptions: -

Client-side encryption → In client-side encryption, the data is encrypted locally before sending it to the S3 service. The s3 service has no role in encrypting or decrypting the data
Server-side encryption → In server-side encryption, data is encrypted by the S3 service

How To Enable Server-Side Encryption In S3?

While creating the bucket, you have the option to enable the default encryption.

Picture showing the section to enable server side encryption in S3 bucket

Click to Enlarge

For encryption and decryption, you can use 2 types of keys: -

Server-side encryption with Amazon S3 managed keys (SSE-S3) → These are the Amazon managed keys
Server-side encryption with AWS Key Management Service keys (SSE-KMS) → These are the keys created by the user using the Key Management Service
Dual-layer server-side encryption with AWS Key Management Service keys (DSSE-KMS) → An additional layer of service-side encryption added on the S3 bucket

Bucket Keys

The bucket keys are the temporary keys stored in the S3 bucket. The purpose of the bucket keys is to encrypt the S3 objects so that the cost of encryption using the AWS KMS or SSE-KMS could be reduced.

Consider a scenario, where a S3 bucket has 10 objects to be encrypted. For each object encryption, a request goes to the KMS. As the number of objects increases, the number of requests to the KMS also increases. This will increase the traffic as well as the cost of encryption.

To reduce the cost, the S3 bucket keys come into the picture. The S3 bucket keys are generated either by using the AWS KMS or the SSE-KMS and are stored in the bucket itself. So, if the number of objects increases, the bucket keys stored in the S3 bucket will encrypt the object without sending additional requests to KMS. This way the number of requests to KMS and the cost are also reduced.

Posted By -	Karan Gupta

Posted On -	Tuesday, January 4, 2022

Updated On -	Wednesday, July 19, 2023

Query/Feedback

Your Email Id		**

Subject		*

Query/Feedback	Characters remaining 250	**