S3 Encryption
Object Encryption
Server-Side Encryption
Client-Side Encryption
SSE-S3
- Encryption using keys handled, managed and owned by AWS
- Object is encrypted server side
- Encryption type is AES-256
- Must set header “x-amz-server-side-encryption”:”AES256”

SSE-KMS
- Encryption using keys handled and managed by AWS KMS
- KMS advantages: user control + audit key usage using CloudTrail
- Must set header “x-amz-server-side-encryption”:”aws:kms”

- Limitations:
- May be impacted by KMS limits
- When you upload, calls the GenerateDataKey KMS API
- Calls another API when downloaded
- Counts towards KMS quota per second