{"id":70271,"date":"2019-02-18T13:09:28","date_gmt":"2019-02-18T13:09:28","guid":{"rendered":"https:\/\/www.whizlabs.com\/blog\/?p=70271"},"modified":"2021-02-01T08:41:56","modified_gmt":"2021-02-01T08:41:56","slug":"s3-server-side-encryption","status":"publish","type":"post","link":"https:\/\/www.whizlabs.com\/blog\/s3-server-side-encryption\/","title":{"rendered":"An Introduction to S3 Server-Side Encryption (SSE)"},"content":{"rendered":"<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Hey guys, h<\/span><span style=\"font-weight: 400;\">ope you are doing well with your preparation to become an AWS Certified. Whether you are preparing for the AWS Solutions Architect Associate exam or for the AWS SysOps Administrator Associate exam, here is another important topic <\/span><i><span style=\"font-weight: 400;\">S3 Server-Side Encryption<\/span><\/i><span style=\"font-weight: 400;\">. This is an important topic for both of these associate-level AWS certifications, so this article will be an important resource in your preparation.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">We have received a lot of queries regarding the difference between SSE-S3, SSE-C, and SSE-KMS. These are basically the S3 Server-Side Encryption methods. Let us discuss how to protect your data at rest in S3 using server-side encryption.<\/span><\/p>\n<blockquote>\n<p style=\"text-align: justify;\">Also Read:<\/p>\n<p style=\"text-align: justify;\"><a href=\"https:\/\/www.whizlabs.com\/blog\/aws-certified-solutions-architect-associate-guide\/\" target=\"_blank\" rel=\"noopener noreferrer\">Preparation Guide for AWS Certified Solutions Architect Associate Exam<\/a><\/p>\n<p style=\"text-align: justify;\"><a href=\"https:\/\/www.whizlabs.com\/blog\/aws-sysops-certification\/\" target=\"_blank\" rel=\"noopener noreferrer\">Preparation Guide for AWS Certified SysOps Administrator Associate Exam<\/a><\/p>\n<\/blockquote>\n<h2 style=\"text-align: justify;\">S3 Server-Side Encryption Methods<\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">AWS provides three ways to protect your data at rest in S3 using server-side encryption:<\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">SSE-S3 (default)<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">SSE with customer provided keys (SSE-C)<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">SSE with AWS KMS (SSE-KMS)<\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">SSE-S3 encrypts data at rest using 256-bit Advanced Encryption Standard(AES-256). Each object is encrypted with a unique data\/object key and each data\/object key is further encrypted using a master key (envelope encryption) which is regularly rotated so as to prevent data getting compromised. Unlike SSE-KMS there are no additional charges for using SSE-S3 in addition to the storage that you are using on S3.<\/span><\/p>\n<p style=\"text-align: justify;\"><a href=\"https:\/\/www.whizlabs.com\/aws-solutions-architect-associate\/online-course\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-69738 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/01\/AWS_Certified_Solutions_Architect_Associate_Online_Course-2.gif\" alt=\"AWS CSAA Online Course\" width=\"728\" height=\"90\" \/><\/a><\/p>\n<h3 style=\"text-align: justify;\">How does S3 Server-Side Encryption Work?<\/h3>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">To encrypt the objects you need a data key. Now to generate a data key you can specify a CMK (Customer Master Key) that you have already created otherwise S3 will request AWS KMS to create a default CMK which can be used to create a data key.<\/span><\/p>\n<p style=\"text-align: justify;\">Now CMK using the encryption algorithm (AES-256) creates two keys, one is plaintext data key and the other is encrypted data key.<\/p>\n<p style=\"text-align: justify;\"><img decoding=\"async\" class=\"size-full wp-image-70272 aligncenter\" src=\"http:\/\/whizlabs.org\/blog\/wp-content\/uploads\/2019\/02\/SSE-S3-1.png\" alt=\"SSE-S3\" width=\"367\" height=\"428\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/SSE-S3-1.png 367w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/SSE-S3-1-257x300.png 257w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/SSE-S3-1-360x420.png 360w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/SSE-S3-1-300x350.png 300w\" sizes=\"(max-width: 367px) 100vw, 367px\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\"> S3 encrypts the object with plaintext data key and deletes the key from memory. The encrypted object along with the encrypted data key is then stored in S3.<\/span><\/p>\n<p style=\"text-align: justify;\"><img decoding=\"async\" class=\"size-full wp-image-70273 aligncenter\" src=\"http:\/\/whizlabs.org\/blog\/wp-content\/uploads\/2019\/02\/SSE-S3-2.png\" alt=\"sse-s3\" width=\"636\" height=\"370\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/SSE-S3-2.png 636w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/SSE-S3-2-300x175.png 300w\" sizes=\"(max-width: 636px) 100vw, 636px\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">While retrieving the object S3 sends the encrypted data key to KMS. KMS matches the correct CMK then it decrypts the encrypted data key and sends the plaintext data key to S3. S3 then retrieves the object by decrypting the object with this plaintext data key.<\/span><\/p>\n<p style=\"text-align: justify;\"><img decoding=\"async\" class=\"size-full wp-image-70274 aligncenter\" src=\"http:\/\/whizlabs.org\/blog\/wp-content\/uploads\/2019\/02\/SSE-S3-3.png\" alt=\"S3 Server-Side Encryption\" width=\"741\" height=\"467\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/SSE-S3-3.png 741w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/SSE-S3-3-300x189.png 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/SSE-S3-3-666x420.png 666w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/SSE-S3-3-640x403.png 640w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/SSE-S3-3-681x429.png 681w\" sizes=\"(max-width: 741px) 100vw, 741px\" \/><\/p>\n<p><strong>Note:<\/strong>\u00a0The working is same for SSE-S3, SSE-KMS, and SSE-C. And the images have been taken from AWS doc &#8211;\u00a0<a href=\"https:\/\/docs.aws.amazon.com\/kms\/latest\/developerguide\/concepts.html\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/docs.aws.amazon.com\/kms\/latest\/developerguide\/concepts.html<\/a><\/p>\n<h3 style=\"text-align: justify;\">SSE with AWS KMS (SSE-KMS)<\/h3>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">SSE-KMS is similar to SSE-S3 but comes with some additional benefits over SSE-S3. Unlike SSE-S3 you can create and manage encryption keys yourself or you can use a default CMK key that is unique to you for the service that is being used (S3 in this case) and the region you are working in. <\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">When you create a CMK using KMS instead of using default CMK you get more flexibility as you can create, rotate and disable the encryption keys. As KMS is integrated with Cloudtrail with SSE-KMS you can also audit the usage of the key like when, by whom, for what purpose the key was used. You can also give separate permissions for the use of an envelope key.<\/span><\/p>\n<p><a href=\"https:\/\/www.whizlabs.com\/aws-solutions-architect-associate\/online-course\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-69739 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/01\/AWS_Certified_SysOps_Administrator-2.gif\" alt=\"AWS SysOps Administrator Associate Online Course\" width=\"728\" height=\"90\" \/><\/a><\/p>\n<h3 style=\"text-align: justify;\">SSE with Customer-Provided Keys (SSE-C)<\/h3>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">With SSE-C, client manages the encryption keys itself whereas AWS manages the encryption\/decryption part. There are no additional charges like SSE-S3. A client has to send the encryption key along with the object to be uploaded in a request. S3 then encrypts the object using the provided key and the object is stored in S3. Note that the encryption key is deleted from the system. <\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">When the user wants to download or retrieve the object it has to supply the encryption key in the request. S3 first verifies that it is the correct encryption key, after the successful match it decrypts the object and returns it to the Client.<\/span><\/p>\n<p><strong>Check Now:<\/strong> <a href=\"https:\/\/www.whizlabs.com\/blog\/top-aws-machine-learning-tools\/\" target=\"_blank\" rel=\"noopener\">AWS ML<\/a> (Top AWS Machine Learning Tools)<\/p>\n<h4 style=\"text-align: justify;\">Final Words<\/h4>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Hope this article helped you understand the S3 server-Side Encryption which is one of the most important topics in AWS Solutions Architect Associate exam and AWS Certified SysOps Administrator Associate exam. Besides, Whizlabs also offers online courses and practice tests series for the <a href=\"https:\/\/www.whizlabs.com\/aws-solutions-architect-associate\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Certified Solutions Architect Associate Exam<\/a> and <a href=\"https:\/\/www.whizlabs.com\/aws-sysops-administrator-associate\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS\u00a0Certified SysOps Administrator Associate exam<\/a>. Join us now to prepare and pass the AWS certification exams.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\"><em>Have any doubts\/concerns regarding<\/em>\u00a0<i>S3 Server-Side Encryption? Feel free to write in the comment section below or write in Whizlabs Forum to get it resolved by the industry experts.<\/i><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hey guys, hope you are doing well with your preparation to become an AWS Certified. Whether you are preparing for the AWS Solutions Architect Associate exam or for the AWS SysOps Administrator Associate exam, here is another important topic S3 Server-Side Encryption. This is an important topic for both of these associate-level AWS certifications, so this article will be an important resource in your preparation. We have received a lot of queries regarding the difference between SSE-S3, SSE-C, and SSE-KMS. These are basically the S3 Server-Side Encryption methods. Let us discuss how to protect your data at rest in S3 [&hellip;]<\/p>\n","protected":false},"author":169,"featured_media":70280,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[237,251,313,1754,1755,1756],"class_list":["post-70271","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aws-certifications","tag-aws-certified-solutions-architect-associate","tag-aws-csaa","tag-aws-sysops-administrator-associate","tag-sse-c","tag-sse-kms","tag-sse-s3"],"uagb_featured_image_src":{"full":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/S3_Server_Side_Encryption.png",600,315,false],"thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/S3_Server_Side_Encryption-150x150.png",150,150,true],"medium":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/S3_Server_Side_Encryption-300x158.png",300,158,true],"medium_large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/S3_Server_Side_Encryption.png",600,315,false],"large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/S3_Server_Side_Encryption.png",600,315,false],"1536x1536":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/S3_Server_Side_Encryption.png",600,315,false],"2048x2048":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/S3_Server_Side_Encryption.png",600,315,false],"profile_24":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/S3_Server_Side_Encryption.png",24,13,false],"profile_48":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/S3_Server_Side_Encryption.png",48,25,false],"profile_96":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/S3_Server_Side_Encryption.png",96,50,false],"profile_150":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/S3_Server_Side_Encryption.png",150,79,false],"profile_300":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/S3_Server_Side_Encryption.png",300,158,false],"tptn_thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/S3_Server_Side_Encryption-250x250.png",250,250,true],"web-stories-poster-portrait":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/S3_Server_Side_Encryption.png",600,315,false],"web-stories-publisher-logo":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/S3_Server_Side_Encryption.png",96,50,false],"web-stories-thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2019\/02\/S3_Server_Side_Encryption.png",150,79,false]},"uagb_author_info":{"display_name":"Girdharee Saran","author_link":"https:\/\/www.whizlabs.com\/blog\/author\/girdharee\/"},"uagb_comment_info":35,"uagb_excerpt":"Hey guys, hope you are doing well with your preparation to become an AWS Certified. Whether you are preparing for the AWS Solutions Architect Associate exam or for the AWS SysOps Administrator Associate exam, here is another important topic S3 Server-Side Encryption. This is an important topic for both of these associate-level AWS certifications, so&hellip;","_links":{"self":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/70271","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/users\/169"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/comments?post=70271"}],"version-history":[{"count":4,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/70271\/revisions"}],"predecessor-version":[{"id":77584,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/70271\/revisions\/77584"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media\/70280"}],"wp:attachment":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media?parent=70271"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/categories?post=70271"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/tags?post=70271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}