An Introduction to S3 Server-Side Encryption (SSE) - Whizlabs Blog (2024)

Hey guys, hope you are doing well with your preparation to become an AWS Certified. Whether you are preparing for the AWS Solutions Architect Associate exam or for the AWS SysOps Administrator Associate exam, here is another important topic S3 Server-Side Encryption. This is an important topic for both of these associate-level AWS certifications, so this article will be an important resource in your preparation.

We have received a lot of queries regarding the difference between SSE-S3, SSE-C, and SSE-KMS. These are basically the S3 Server-Side Encryption methods. Let us discuss how to protect your data at rest in S3 using server-side encryption.

Also Read:

Preparation Guide for AWS Certified Solutions Architect Associate Exam

Preparation Guide for AWS Certified SysOps Administrator Associate Exam

S3 Server-Side Encryption Methods

AWS provides three ways to protect your data at rest in S3 using server-side encryption:

  • SSE-S3 (default)
  • SSE with customer provided keys (SSE-C)
  • SSE with AWS KMS (SSE-KMS)

SSE-S3 encrypts data at rest using 256-bit Advanced Encryption Standard(AES-256). Each object is encrypted with a unique data/object key and each data/object key is further encrypted using a master key (envelope encryption) which is regularly rotated so as to prevent data getting compromised. Unlike SSE-KMS there are no additional charges for using SSE-S3 in addition to the storage that you are using on S3.

How does S3 Server-Side Encryption Work?

To encrypt the objects you need a data key. Now to generate a data key you can specify a CMK (Customer Master Key) that you have already created otherwise S3 will request AWS KMS to create a default CMK which can be used to create a data key.

Now CMK using the encryption algorithm (AES-256) creates two keys, one is plaintext data key and the other is encrypted data key.

An Introduction to S3 Server-Side Encryption (SSE) - Whizlabs Blog (2)

S3 encrypts the object with plaintext data key and deletes the key from memory. The encrypted object along with the encrypted data key is then stored in S3.

An Introduction to S3 Server-Side Encryption (SSE) - Whizlabs Blog (3)

While retrieving the object S3 sends the encrypted data key to KMS. KMS matches the correct CMK then it decrypts the encrypted data key and sends the plaintext data key to S3. S3 then retrieves the object by decrypting the object with this plaintext data key.

An Introduction to S3 Server-Side Encryption (SSE) - Whizlabs Blog (4)

Note:The working is same for SSE-S3, SSE-KMS, and SSE-C. And the images have been taken from AWS doc –https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html

SSE with AWS KMS (SSE-KMS)

SSE-KMS is similar to SSE-S3 but comes with some additional benefits over SSE-S3. Unlike SSE-S3 you can create and manage encryption keys yourself or you can use a default CMK key that is unique to you for the service that is being used (S3 in this case) and the region you are working in.

When you create a CMK using KMS instead of using default CMK you get more flexibility as you can create, rotate and disable the encryption keys. As KMS is integrated with Cloudtrail with SSE-KMS you can also audit the usage of the key like when, by whom, for what purpose the key was used. You can also give separate permissions for the use of an envelope key.

SSE with Customer-Provided Keys (SSE-C)

With SSE-C, client manages the encryption keys itself whereas AWS manages the encryption/decryption part. There are no additional charges like SSE-S3. A client has to send the encryption key along with the object to be uploaded in a request. S3 then encrypts the object using the provided key and the object is stored in S3. Note that the encryption key is deleted from the system.

When the user wants to download or retrieve the object it has to supply the encryption key in the request. S3 first verifies that it is the correct encryption key, after the successful match it decrypts the object and returns it to the Client.

Check Now: AWS ML (Top AWS Machine Learning Tools)

Final Words

Hope this article helped you understand the S3 server-Side Encryption which is one of the most important topics in AWS Solutions Architect Associate exam and AWS Certified SysOps Administrator Associate exam. Besides, Whizlabs also offers online courses and practice tests series for the AWS Certified Solutions Architect Associate Exam and AWSCertified SysOps Administrator Associate exam. Join us now to prepare and pass the AWS certification exams.

Have any doubts/concerns regardingS3 Server-Side Encryption? Feel free to write in the comment section below or write in Whizlabs Forum to get it resolved by the industry experts.

  • About the Author
  • More from Author

An Introduction to S3 Server-Side Encryption (SSE) - Whizlabs Blog (6)

About Girdharee Saran

Girdharee Saran has a glorious 13 years of experience transforming the way e-learning and SaaS start-ups approach digital marketing for their organisations. He has successfully chartered tangible results, which have proven beneficial.Working in the spaces of content marketing and SEO for a considerable amount of time, he is well conversant in his art. Having taken a deep interest in content and growth marketing, his urge to learn more is perpetual. His current role at Whizlabs as VP Marketing is about but not limited to driving SEO, conversion optimisation, marketing automation, link building and strategising result driven content.

  • Cloud DNS – A Complete Guide - December 15, 2021
  • Google Compute Engine: Features and Advantages - December 14, 2021
  • What is Cloud Run? - December 13, 2021
  • What is Cloud Load Balancing? A Complete Guide - December 9, 2021
  • What is a BigTable? - December 8, 2021
  • Docker Image creation – Everything You Should Know! - November 25, 2021
  • What is BigQuery? - November 19, 2021
  • Docker Architecture in Detail - October 6, 2021
An Introduction to S3 Server-Side Encryption (SSE) - Whizlabs Blog (2024)
Top Articles
TRON Price Prediction, will TRX’s price hit 0.17?
Amber Is ‘Broke’ From Her Legal Fees—Here’s What Happens if She Can’t Pay Johnny’s $10M
Katie Pavlich Bikini Photos
Gamevault Agent
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Free Atm For Emerald Card Near Me
Craigslist Mexico Cancun
Hendersonville (Tennessee) – Travel guide at Wikivoyage
Doby's Funeral Home Obituaries
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Select Truck Greensboro
Things To Do In Atlanta Tomorrow Night
How To Cut Eelgrass Grounded
Pac Man Deviantart
Alexander Funeral Home Gallatin Obituaries
Craigslist In Flagstaff
Shasta County Most Wanted 2022
Energy Healing Conference Utah
Testberichte zu E-Bikes & Fahrrädern von PROPHETE.
Aaa Saugus Ma Appointment
Geometry Review Quiz 5 Answer Key
Walgreens Alma School And Dynamite
Bible Gateway passage: Revelation 3 - New Living Translation
Yisd Home Access Center
Home
Shadbase Get Out Of Jail
Gina Wilson Angle Addition Postulate
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Walmart Pharmacy Near Me Open
Dmv In Anoka
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Pixel Combat Unblocked
Cvs Sport Physicals
Mercedes W204 Belt Diagram
Rogold Extension
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Teenbeautyfitness
Weekly Math Review Q4 3
Facebook Marketplace Marrero La
Nobodyhome.tv Reddit
Topos De Bolos Engraçados
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Holzer Athena Portal
Hampton In And Suites Near Me
Stoughton Commuter Rail Schedule
Bedbathandbeyond Flemington Nj
Free Carnival-themed Google Slides & PowerPoint templates
Otter Bustr
Selly Medaline
Latest Posts
Article information

Author: Moshe Kshlerin

Last Updated:

Views: 5498

Rating: 4.7 / 5 (77 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Moshe Kshlerin

Birthday: 1994-01-25

Address: Suite 609 315 Lupita Unions, Ronnieburgh, MI 62697

Phone: +2424755286529

Job: District Education Designer

Hobby: Yoga, Gunsmithing, Singing, 3D printing, Nordic skating, Soapmaking, Juggling

Introduction: My name is Moshe Kshlerin, I am a gleaming, attractive, outstanding, pleasant, delightful, outstanding, famous person who loves writing and wants to share my knowledge and understanding with you.