Server-side Encryption in AWS


While learning AWS S3 encryption, I found most of the information online to either be technically dense or unnecessarily difficult to understand. Below is my attempt to provide a "Plain English" explanation.

S3 Server Side Encryption

"Hey Amazon, I will give you the data, you encrypt it, you create an encrypted key and manage it."


Also known as a "customer managed key" or multi-tenant KMS.

"Hey Amazon, I will send you my data, you encrypt it, but I will give you a key."

S3 SSE - C

Amazon will collect your data, collect your key, encrypt it and throw the key away.

"Hey Amazon, I've got my own infrastructure for generating my own keys. When I send you the data, I will also send you the plain text key via SSL."

Client Side Encryption

"Hey Amazon, I'm going to encrypt the data myself and simply use your AWS S3 for the data store."