S3 Server Side Encryption

An Introduction to S3 Server-Side Encryption (SSE)

Hey guys, hope you are doing well with your preparation to become an AWS Certified. Whether you are preparing for the AWS Solutions Architect Associate exam or for the AWS SysOps Administrator Associate exam, here is another important topic S3 Server-Side Encryption. This is an important topic for both of these associate-level AWS certifications, so this article will be an important resource in your preparation.

We have received a lot of queries regarding the difference between SSE-S3, SSE-C, and SSE-KMS. These are basically the S3 Server-Side Encryption methods. Let us discuss how to protect your data at rest in S3 using server-side encryption.

Also Read:

Preparation Guide for AWS Certified Solutions Architect Associate Exam

Preparation Guide for AWS Certified SysOps Administrator Associate Exam

S3 Server-Side Encryption Methods

AWS provides three ways to protect your data at rest in S3 using server-side encryption:

  • SSE-S3 (default)
  • SSE with customer provided keys (SSE-C)
  • SSE with AWS KMS (SSE-KMS)

SSE-S3 encrypts data at rest using 256-bit Advanced Encryption Standard(AES-256). Each object is encrypted with a unique data/object key and each data/object key is further encrypted using a master key (envelope encryption) which is regularly rotated so as to prevent data getting compromised. Unlike SSE-KMS there are no additional charges for using SSE-S3 in addition to the storage that you are using on S3.

AWS CSAA Online Course

How does S3 Server-Side Encryption Work?

To encrypt the objects you need a data key. Now to generate a data key you can specify a CMK (Customer Master Key) that you have already created otherwise S3 will request AWS KMS to create a default CMK which can be used to create a data key.

Now CMK using the encryption algorithm (AES-256) creates two keys, one is plaintext data key and the other is encrypted data key.


S3 encrypts the object with plaintext data key and deletes the key from memory. The encrypted object along with the encrypted data key is then stored in S3.


While retrieving the object S3 sends the encrypted data key to KMS. KMS matches the correct CMK then it decrypts the encrypted data key and sends the plaintext data key to S3. S3 then retrieves the object by decrypting the object with this plaintext data key.

S3 Server-Side Encryption

Note: The working is same for SSE-S3, SSE-KMS, and SSE-C. And the images have been taken from AWS doc – https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html


SSE-KMS is similar to SSE-S3 but comes with some additional benefits over SSE-S3. Unlike SSE-S3 you can create and manage encryption keys yourself or you can use a default CMK key that is unique to you for the service that is being used (S3 in this case) and the region you are working in.

When you create a CMK using KMS instead of using default CMK you get more flexibility as you can create, rotate and disable the encryption keys. As KMS is integrated with Cloudtrail with SSE-KMS you can also audit the usage of the key like when, by whom, for what purpose the key was used. You can also give separate permissions for the use of an envelope key.

AWS SysOps Administrator Associate Online Course

SSE with Customer-Provided Keys (SSE-C)

With SSE-C, client manages the encryption keys itself whereas AWS manages the encryption/decryption part. There are no additional charges like SSE-S3. A client has to send the encryption key along with the object to be uploaded in a request. S3 then encrypts the object using the provided key and the object is stored in S3. Note that the encryption key is deleted from the system.

When the user wants to download or retrieve the object it has to supply the encryption key in the request. S3 first verifies that it is the correct encryption key, after the successful match it decrypts the object and returns it to the Client.

Check Now: AWS ML (Top AWS Machine Learning Tools)

Final Words

Hope this article helped you understand the S3 server-Side Encryption which is one of the most important topics in AWS Solutions Architect Associate exam and AWS Certified SysOps Administrator Associate exam. Besides, Whizlabs also offers online courses and practice tests series for the AWS Certified Solutions Architect Associate Exam and AWS Certified SysOps Administrator Associate exam. Join us now to prepare and pass the AWS certification exams.

Have any doubts/concerns regarding S3 Server-Side Encryption? Feel free to write in the comment section below or write in Whizlabs Forum to get it resolved by the industry experts.

About Girdharee Saran

Girdharee Saran has a glorious 13 years of experience transforming the way e-learning and SaaS start-ups approach digital marketing for their organisations. He has successfully chartered tangible results, which have proven beneficial. Working in the spaces of content marketing and SEO for a considerable amount of time, he is well conversant in his art. Having taken a deep interest in content and growth marketing, his urge to learn more is perpetual. His current role at Whizlabs as VP Marketing is about but not limited to driving SEO, conversion optimisation, marketing automation, link building and strategising result driven content.

1 thought on “An Introduction to S3 Server-Side Encryption (SSE)”

  1. Hey, thanks for the article.
    I have a request can you write about S3, how it handles the PUT, GET etc and about indexing of the file, randomness. I am preparing for my AWS SSA so I have little difficulty in understanding these concepts.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top