Server-side Encryption in AWS


I was learning AWS server-side encryption and was looking for a plain English explination of the 4 different encrypted solutions. Here's my breakdown. If anyone has a suggestion for improving my statements, please share.

Assumption: All of this is happening in the cloud.

S3 Server Side Encryption

"Hey Amazon, I will give you the data, you encrypt it, you create an encrypted key and manage it."


This is also known as a "customer managed key". It's a mult-tenant KMS.

"Hey Amazon, I will send you my data, you encrypt it, but I will give you a key."

S3 SSE - C

Amazon will get the data, get your key, encrypt it and throw the key away.

"Hey Amazon, I've got my own infrastructure for generating my own keys. When I send you the data, I will also send you the plain text key via SSL."

Client Side Encryption

"Hey Amazon, I'm going to encrypt the data myself and simply use your AWS S3 for the data store."