Each object is encrypted with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. SSE-S3 requires that Amazon S3 manage the data and master encryption keys.
"Hey Amazon, I will give you the data, you encrypt it, you create an encrypted key and manage it."
You manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption, when you access your objects. Amazon will collect your data, collect your key, encrypt it and throw the key away.
"Hey Amazon, I've got my own infrastructure for generating my own keys. When I send you the data, I will also send you the plain text key via SSL."
You can use the Amazon S3 Encryption Client in the AWS SDK in your own application to encrypt objects and upload them to Amazon S3. This method allows you to encrypt your data locally to ensure its security as it passes to the Amazon S3 service. The Amazon S3 service receives your encrypted data; it does not play a role in encrypting or decrypting it.
"Hey Amazon, I'm going to encrypt the data myself and simply use your AWS S3 for the data store."