While learning AWS S3 encryption, I found most of the information online to either be technically dense or unnecessarily difficult to understand. Below are my plain English explanations.
NOTE: I found this article and it does a much better job providing a comprehensive overview. I suggest reading this article
Each object is encrypted with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. SSE-S3 requires that Amazon S3 manage the data and master encryption keys.
"Hey Amazon, I will give you the data, you encrypt it, you create an encrypted key and manage it."
Also known as a "customer managed key" or multi-tenant KMS. SSE-KMS requires that AWS manage the data key but you manage the customer master key in AWS KMS.
"Hey Amazon, I will send you my data, you encrypt it, but I will give you a key."
You manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption, when you access your objects. Amazon will collect your data, collect your key, encrypt it and throw the key away.
"Hey Amazon, I've got my own infrastructure for generating my own keys. When I send you the data, I will also send you the plain text key via SSL."
You can use the Amazon S3 Encryption Client in the AWS SDK in your own application to encrypt objects and upload them to Amazon S3. This method allows you to encrypt your data locally to ensure its security as it passes to the Amazon S3 service. The Amazon S3 service receives your encrypted data; it does not play a role in encrypting or decrypting it.
"Hey Amazon, I'm going to encrypt the data myself and simply use your AWS S3 for the data store."