AWS S3 Server Side Encryption: What it is and How it works?

---

Introduction

AWS Simple Storage Service (S3) is one of the most widely used object storage solutions. With S3, you can store files, photos, videos, applications, websites, databases, backups, logs, and many other types of data online without worrying about performance issues, security breaches, or hardware failures.

Data encryption is a critical operation to protect sensitive data from unauthorized access. Yet, implementing encryption is not an easy job. Fortunately, AWS server-side encryption (SSE) simplifies the whole encryption process, including storing and managing encryption keys and helps protect your data stored in AWS S3 buckets.

This article explains the concepts around S3 encryption, S3 server-side encryption, how SSE works, and different approaches for SSE.

Table of contents

• Introduction
• AWS S3 Encryption
• S3 Server-Side Encryption
• S3 Server-Side Encryption Methods
  • SSE with AWS S3-Managed Keys (SSE-S3)
  • SSE with AWS Key Managed Service (SSE-KMS)
  • SSE with Customer-Provided Keys (SSE-C)
• How Does S3 Server-Side Encryption Work?
• Conclusion

AWS S3 Encryption

Amazon S3 uses encryption to protect your data while uploading and downloading them to and from S3 buckets (encryption at transit) and while residing in the S3 bucket storage (encryption at rest). S3 uses Secure Socket Layer (SSH)/Transport Layer Security (TLS) or client-side encryption to encrypt data in transit. To store the data in an encrypted format, S3 uses either server-side encryption or client-side encryption.

Encryption in S3 is not enabled by default. But you can allow server-side encryption as the default encryption. You can enable it in four ways: the S3 console, AWS CLI, SDKs, or REST API. You also have the option to allow it for individual objects or the whole bucket.

Once you enable the default server-side encryption for a new S3 bucket, every new object you upload to the bucket will be automatically encrypted. You can also encrypt existing objects by using the S3 Batch Copy Operation. It copies the unencrypted objects and stores them in the same bucket as the encrypted objects.

S3 Server-Side Encryption

Unlike client-side encryption, where the encryption happens at the client, server-side encryption encrypts the data at the destination or the AWS S3 data centers themselves. S3 SSE allows you to encrypt individual objects but not object metadata. S3 encrypts the objects before writing them to the buckets and decrypts them when you download them. You can enable SSE by enabling S3 default encryption or using an S3 bucket policy.

S3 Server Side Encryption can handle everything on your behalf, including encryption, decryption, and key management. It uses 256-bit Advanced Encryption Standard, or AES-256, one of the most robust encryption standards that is difficult to crack. Amazon provides three ways for server-side encryption. However, you can only use one method for one bucket or object.

• SSE with AWS S3-Managed Keys (SSE-S3)
• SSE with AWS Key Management Service (SSE-KMS)
• SSE with Customer-Provided Keys (SSE-C)

S3 Server-Side Encryption Methods

SSE with AWS S3-Managed Keys (SSE-S3)

In this mode of SSE, AWS S3 manages and handles the encryption keys. It uses a unique key to encrypt each object on the server side using AES-256. The client doesn’t directly access the encryption key or use it to encrypt and decrypt your data manually. AWS S3 also encrypts that unique key using a root or master key, adding an extra layer of security. The root key is also rotated regularly, making it difficult for attackers to find the unique key. There is no additional charge for this encryption other than requests for default encryption configuration.

You can use a bucket policy to enforce this encryption. For instance, you can add a check if the data upload request header contains the x-and-server-side-encryption and denies the upload operation if it doesn’t have it.

However, you cannot enforce SSE-S3 encryption when you upload files using pre-signed URLs.

SSE with AWS Key Managed Service (SSE-KMS)

In contrast to SSE-S3, SSE-KMS includes additional layers of security and charges. S3 uses the AWS Key Management Service (AWS KMS) keys for encrypting bucket objects. AWS KMS is a specifically designed service for managing encryption keys at scale in the cloud. Therefore, users benefit from the additional security and features provided by KMS.

SSE-KMS allows you to create keys centrally and define their usage through policies. Also, you can find out when and who used those keys to ensure the keys are being used properly. When using SSE-KMS keys with S3, both the bucket and the keys need to locate in the same region.

Furthermore, you need separate permissions to use SSE-KMS. For example, use the kms:GenerateDataKey permission to use KMS keys when uploading an object. If you need to download an object with SSE-KMS encryption, you must define kms: Decrypt as permission.

SSE with Customer-Provided Keys (SSE-C)

If you are not ready to hand over the encryption key management to AWS services but want to take that responsibility yourself, SSE-C is an ideal option. In SSE-C encryption, you manage the encryption keys on your own, while S3 manages the encryption and decryption processes. When uploading an object into your S3 bucket, S3 uses your encryption key to encrypt them.

You must provide the same key to download the objects. Then it checks if the customer-provided key matches the correct key. S3 will only proceed with the encryption if the provided key is valid. Once the encryption finishes, S3 removes it from its memory.

How Does S3 Server-Side Encryption Work?

Suppose you upload a file into your S3 bucket that has enabled SSE. In that case, Amazon S3 key management’s key generator generates unique encryption at S3 servers. Using that key, S3 will encrypt your data in plaintext format by transforming them into cipher text using the AES-256 encryption algorithm. S3 also uses an S3 “master key,” which can be either AWS-managed, KMS-managed, or a customer-provided key, as discussed earlier, to encrypt the generated unique key. The keys will be stored in a separate data store that stores your encrypted objects to provide more security.

Imagine you are downloading an encrypted file from your S3 bucket. In that case, S3 key management first retrieves the encrypted key from the encrypted key store and decrypts the key. Then S3 uses that decrypted key to decrypt the data you requested using the AES-256 algorithm. Finally, you will see your data in the original format.

Conclusion

AWS S3 SSE is the process of encrypting and decrypting S3 data on the server side. S3 provides three types of SSE. SSE-S3, SSE-KMS, and SSE-C mainly differ in how they handle the encryption keys. The simplest encryption you can use is SSE-S3. S3 allows you to enable SSE by default and enforce it using bucket policies.