This chapter covers S3 encryption options: SSE-S3, SSE-KMS, and SSE-C, which are critical for securing data at rest in Amazon S3. For the DVA-C02 exam, understanding the differences, use cases, and how to implement each is essential, as encryption questions appear in roughly 10-15% of security-related questions. You will need to know when to use each type, how to request them via APIs, and the implications for key management, performance, and cost.
Jump to a section
Imagine a secure document delivery company. You can send a package in three ways. SSE-S3 is like handing your package to the company's standard service: they provide a default lockbox (their own master key), lock it automatically, store it, and when you request it back, they unlock it for you. You never see the key; the company manages everything. SSE-KMS is like using a high-security service where you bring your own custom lockbox (a KMS key) with specific access rules. The company uses your lockbox to secure the package, but you control who has copies of the key and can audit every time the box is opened via CloudTrail. You also pay per use of the lockbox. SSE-C is like you providing your own padlock and key to the company. They use your padlock to lock the package, store it, but they do not keep a copy of your key. When you want the package back, you must provide the same padlock key again. If you lose the key, the package stays locked forever. The company never sees or stores your key. Each method gives you different control, auditability, and key management responsibility. SSE-S3 is simplest, SSE-KMS provides fine-grained control and auditing, SSE-C gives you full key control but with the burden of managing keys yourself.
What is S3 Encryption and Why Does It Exist?
Amazon S3 offers several encryption options to protect data at rest. Data at rest means data stored on disk, as opposed to data in transit (moving over the network). S3 automatically encrypts objects at the physical disk level, but customer-controlled encryption adds a second layer of protection. The three server-side encryption options (SSE) encrypt objects before they are written to disk and decrypt them when accessed. The key difference is who manages the encryption keys and how they are used.
SSE-S3: Server-Side Encryption with S3-Managed Keys
SSE-S3 is the simplest form. Amazon S3 manages the encryption keys for you. Each object is encrypted with a unique key, which is then encrypted with a regularly rotated master key. The entire process is transparent to the user. When you upload an object with SSE-S3, S3 encrypts it before writing to disk. When you download it, S3 decrypts it automatically. You do not need to provide any keys in your requests. To enable SSE-S3, you set the x-amz-server-side-encryption header to AES256 when uploading the object. If you use the AWS Management Console, SSE-S3 is the default encryption option for new buckets if you enable default encryption. SSE-S3 uses AES-256 encryption. It is free (no additional charge). The exam may ask you to identify SSE-S3 as the option when you want minimal key management and no additional cost.
SSE-KMS: Server-Side Encryption with AWS KMS-Managed Keys
SSE-KMS uses AWS Key Management Service (KMS) to manage encryption keys. This gives you more control, including separate permissions for key usage, auditing via CloudTrail, and the ability to create and manage customer managed keys (CMKs) or use AWS managed keys. When you upload an object with SSE-KMS, you specify a KMS key ID (or use the default KMS key for S3, which is an AWS managed key). S3 requests KMS to generate a data key, encrypts the object with that data key, and then encrypts the data key with the specified KMS key. The encrypted data key is stored alongside the object. When you download, S3 requests KMS to decrypt the data key and then decrypts the object. You must have permissions to use the KMS key (kms:GenerateDataKey and kms:Decrypt). To use SSE-KMS, set the x-amz-server-side-encryption header to aws:kms and optionally specify the KMS key via x-amz-server-side-encryption-aws-kms-key-id. There are costs: KMS key usage incurs a fee per request (for encryption/decryption operations). Also, KMS has a request rate limit (default 5,500 requests per second for a CMK, but can be increased). The exam tests that SSE-KMS provides envelope encryption, separate permissions, and CloudTrail auditing.
SSE-C: Server-Side Encryption with Customer-Provided Keys
SSE-C allows you to provide your own encryption key. S3 does not store your key; you must provide it with every request. When uploading, you include the encryption key in the request headers (x-amz-server-side-encryption-customer-algorithm set to AES256, x-amz-server-side-encryption-customer-key as the base64-encoded key, and x-amz-server-side-encryption-customer-key-MD5 for integrity). S3 uses your key to encrypt the object, then discards the key. When downloading, you must provide the same key again. S3 verifies the key by checking the MD5 hash. If you lose the key, the object cannot be decrypted. SSE-C is useful if you want full control over the key and do not want to trust AWS with key storage. However, you must manage key distribution and rotation yourself. The exam tests that SSE-C requires the encryption key with every request, that S3 does not store the key, and that you cannot use the AWS Management Console to upload/download objects with SSE-C (you must use SDK, CLI, or REST API).
How to Choose and Configure
Default encryption: You can set a default encryption behavior on an S3 bucket. When enabled, all objects uploaded without an explicit encryption header are encrypted with SSE-S3 or SSE-KMS (your choice). This does not affect existing objects. Default encryption is not retroactive.
Bucket policies: You can enforce encryption using bucket policies. For example, you can deny s3:PutObject if the request does not include the x-amz-server-side-encryption header with a specific value. This is a common exam scenario: how to require encryption on uploads.
Performance: SSE-S3 and SSE-C have negligible performance impact because encryption happens at the S3 service level. SSE-KMS may introduce additional latency due to KMS API calls, especially if you exceed the KMS request rate limit.
Auditing: SSE-KMS provides CloudTrail events for every KMS API call (GenerateDataKey, Decrypt). SSE-S3 and SSE-C do not provide per-object key usage logs.
Cost: SSE-S3 is free. SSE-KMS charges per KMS request (typically $0.03 per 10,000 requests) and per key (if using a customer managed key, $1/month per key). SSE-C has no additional AWS cost, but you bear the key management overhead.
Interacting with Related Technologies
S3 Bucket Keys: For SSE-KMS, you can enable S3 Bucket Keys to reduce KMS request costs. When enabled, S3 uses a bucket-level key to generate data keys, reducing the number of KMS API calls. This is a recent feature and may appear on the exam.
S3 Object Lambda: You can use SSE-KMS with S3 Object Lambda to transform data on the fly while maintaining encryption.
AWS CloudTrail: For SSE-KMS, you can track who used which key to access objects.
AWS Config: You can use AWS Config rules to check that buckets have default encryption enabled or that specific encryption types are used.
Upload Object with SSE-S3
1. Client sends PUT request to S3 with `x-amz-server-side-encryption: AES256`. 2. S3 receives the request and generates a unique object encryption key. 3. S3 encrypts the object data using AES-256 with the object key. 4. S3 encrypts the object key with a regularly rotated master key (S3-managed). 5. S3 stores the encrypted object and the encrypted object key. 6. S3 returns HTTP 200 with ETag. The client never sees or manages any keys.
Download Object with SSE-S3
1. Client sends GET request. 2. S3 retrieves the encrypted object and encrypted object key. 3. S3 decrypts the object key using the master key. 4. S3 decrypts the object using the object key. 5. S3 returns the plaintext object to the client. Decryption is transparent.
Upload Object with SSE-KMS
1. Client sends PUT request with `x-amz-server-side-encryption: aws:kms` and optionally `x-amz-server-side-encryption-aws-kms-key-id: <key-id>`. 2. S3 calls KMS `GenerateDataKey` with the specified KMS key. 3. KMS returns a plaintext data key and an encrypted copy of the data key (ciphertext blob). 4. S3 encrypts the object with the plaintext data key using AES-256. 5. S3 discards the plaintext data key. 6. S3 stores the encrypted object and the encrypted data key (ciphertext blob). 7. S3 returns HTTP 200.
Download Object with SSE-KMS
1. Client sends GET request. 2. S3 retrieves the encrypted object and encrypted data key. 3. S3 calls KMS `Decrypt` with the encrypted data key. 4. KMS decrypts the data key and returns the plaintext data key. 5. S3 decrypts the object with the plaintext data key. 6. S3 discards the plaintext data key. 7. S3 returns the plaintext object. The client must have `kms:Decrypt` permission for the KMS key.
Upload Object with SSE-C
1. Client generates a 256-bit encryption key. 2. Client sends PUT request with headers: `x-amz-server-side-encryption-customer-algorithm: AES256`, `x-amz-server-side-encryption-customer-key: <base64-encoded-key>`, and `x-amz-server-side-encryption-customer-key-MD5: <base64-MD5-of-key>`. 3. S3 verifies the key's integrity by computing MD5 of the provided key and comparing to the MD5 header. 4. S3 encrypts the object using the provided key with AES-256. 5. S3 stores the encrypted object. S3 does NOT store the key. 6. S3 returns HTTP 200 with the ETag of the encrypted object.
Download Object with SSE-C
1. Client must provide the same encryption key used during upload. 2. Client sends GET request with headers: `x-amz-server-side-encryption-customer-algorithm: AES256`, `x-amz-server-side-encryption-customer-key: <base64-encoded-key>`, and `x-amz-server-side-encryption-customer-key-MD5: <base64-MD5-of-key>`. 3. S3 verifies the key's integrity. 4. S3 retrieves the encrypted object. 5. S3 decrypts the object using the provided key. 6. S3 returns the plaintext object. If the key is incorrect, S3 returns HTTP 400 Bad Request.
Enterprise Scenario 1: Healthcare Data with Compliance Requirements
A healthcare company stores patient records in S3. They must comply with HIPAA, which requires encryption of protected health information at rest. They choose SSE-KMS because it provides audit logs of every encryption/decryption operation via CloudTrail. They create a customer managed KMS key with a key policy that allows only specific IAM roles to use it. They enable S3 Bucket Keys to reduce KMS request costs, as they have millions of small objects. Misconfiguration: If they accidentally disable the KMS key, all access to objects encrypted with that key will fail (AccessDenied). They must ensure key rotation is enabled and that they have a backup plan (e.g., use multiple keys for different buckets).
Enterprise Scenario 2: Media Company with Shared Content
A media company shares large video files with external partners. They want encryption but do not want to manage keys for each partner. They use SSE-S3 because it is free and requires no key management. They enable default encryption on the bucket so all uploads are automatically encrypted. They use presigned URLs to grant temporary access. The encryption is transparent to partners. Performance is not an issue because encryption is handled by S3. Misconfiguration: If they set a bucket policy that requires SSE-KMS but uploads use SSE-S3, the uploads fail. They must ensure the bucket policy matches the encryption type.
Enterprise Scenario 3: Financial Services with Customer-Controlled Keys
A bank stores sensitive financial data and wants to maintain full control over encryption keys. They use SSE-C. They generate keys using their own hardware security modules (HSMs) and distribute keys to authorized applications via a secure key management system. They cannot use the AWS Management Console for uploads/downloads; they use the AWS SDK. They must handle key rotation carefully: when a key is rotated, they must re-encrypt all objects with the new key. Performance is acceptable, but they must ensure their key distribution system is highly available. Misconfiguration: If they lose the key, data is unrecoverable. They implement a key escrow service to backup keys. They also monitor S3 access logs to detect unauthorized access attempts.
What DVA-C02 Tests on S3 Encryption (Objective 2.3)
The exam focuses on your ability to differentiate between SSE-S3, SSE-KMS, and SSE-C, and to choose the appropriate option based on requirements like key control, auditing, cost, and performance. Specific areas:
- Identifying the correct encryption type given a scenario (e.g., need audit trail -> SSE-KMS; need to provide own key -> SSE-C; minimal management -> SSE-S3).
- Understanding headers: x-amz-server-side-encryption values: AES256 for SSE-S3, aws:kms for SSE-KMS. For SSE-C, the algorithm header is x-amz-server-side-encryption-customer-algorithm with value AES256.
- KMS request limits: SSE-KMS can hit KMS throttling at 5,500 requests per second (default). S3 Bucket Keys help reduce calls.
- Bucket policies to enforce encryption: Know how to write a policy that denies PutObject without the required encryption header.
- Default encryption: Can be SSE-S3 or SSE-KMS. Cannot be SSE-C.
- Console limitations: SSE-C cannot be used via the Console; only SDK, CLI, or REST API.
Common Wrong Answers and Why
Choosing SSE-S3 when audit is needed: SSE-S3 does not provide per-object key audit logs. Candidates pick SSE-S3 because it's free and simple, but the requirement for auditing forces SSE-KMS.
Choosing SSE-C for key management simplicity: SSE-C requires you to manage and provide keys with every request. Candidates think they can give AWS the key and forget it, but S3 does not store the key.
Thinking SSE-KMS always costs more: While there is a per-request cost, S3 Bucket Keys can reduce costs. Candidates may overestimate cost.
Confusing SSE-C with client-side encryption: SSE-C is still server-side; the key is used by S3 to encrypt/decrypt, not by the client. Client-side encryption means data is encrypted before sending to S3.
Specific Numbers and Terms
AES256 for SSE-S3, aws:kms for SSE-KMS.
KMS default request rate: 5,500 per second per CMK.
S3 Bucket Keys reduce KMS API calls by a factor of up to 99%.
SSE-C requires base64-encoded key and its MD5.
Default encryption cannot be SSE-C.
Edge Cases
Multipart uploads with SSE-C: You must provide the same encryption key for each part. S3 verifies the key using the MD5 hash.
Copying objects with SSE-C: When copying an object encrypted with SSE-C, you must provide the source key in the copy request (using x-amz-copy-source-server-side-encryption-customer-* headers) and optionally a destination key.
Pre-signed URLs with SSE-C: Pre-signed URLs cannot include the encryption key for security reasons; you must use SSE-S3 or SSE-KMS with pre-signed URLs.
How to Eliminate Wrong Answers
If the scenario mentions 'audit' or 'CloudTrail', eliminate SSE-S3 and SSE-C.
If the scenario says 'customer provides key' or 'key not stored by AWS', eliminate SSE-S3 and SSE-KMS.
If the scenario says 'minimal cost' or 'free', eliminate SSE-KMS (unless S3 Bucket Keys are mentioned).
If the scenario mentions 'compliance with key rotation' and 'customer managed', choose SSE-KMS (customer managed key).
SSE-S3 uses S3-managed keys (AES-256) and is free; set header `x-amz-server-side-encryption: AES256`.
SSE-KMS uses AWS KMS keys, provides audit via CloudTrail, and requires `x-amz-server-side-encryption: aws:kms`.
SSE-C requires customer-provided keys with every request; headers include algorithm, key, and MD5.
Default encryption can be SSE-S3 or SSE-KMS, but not SSE-C.
SSE-KMS may incur KMS throttling at 5,500 requests per second per CMK; S3 Bucket Keys mitigate this.
Bucket policies can enforce encryption by denying PutObject without required encryption headers.
SSE-C cannot be used with the AWS Management Console.
Multipart uploads with SSE-C require the same key for each part.
Pre-signed URLs cannot carry SSE-C keys; use SSE-S3 or SSE-KMS with pre-signed URLs.
Copying objects with SSE-C requires source and optional destination key headers.
These come up on the exam all the time. Here's how to tell them apart.
SSE-S3
Keys managed by S3, automatically rotated.
No additional cost.
No audit trail of key usage.
No separate permissions for encryption/decryption.
Simple to use; set header to AES256.
SSE-KMS
Keys managed by KMS, customer or AWS managed.
Per-request cost (KMS API calls).
CloudTrail audit of each KMS operation.
Fine-grained IAM permissions on key usage.
Supports envelope encryption; set header to aws:kms.
SSE-KMS
Keys stored and managed by AWS KMS.
Supports key rotation and auditing.
Can use S3 Bucket Keys to reduce costs.
Works with AWS Management Console.
Key permissions managed via KMS policies.
SSE-C
Keys provided by customer; not stored by AWS.
No built-in key rotation or audit (unless you implement separately).
No additional AWS cost for key usage.
Cannot use AWS Management Console.
Customer must provide key with every request.
Mistake
SSE-C means the client encrypts the data before sending to S3.
Correct
SSE-C is server-side encryption. The client provides the key, but S3 performs the encryption/decryption. Client-side encryption (CSE) is different; the client encrypts data before upload and decrypts after download.
Mistake
SSE-KMS is always more expensive than SSE-S3.
Correct
SSE-KMS has per-request costs, but with S3 Bucket Keys, the number of KMS API calls can be drastically reduced, making it cost-effective for many use cases. Also, for low-volume buckets, the cost may be negligible.
Mistake
You can use SSE-C with the AWS Management Console.
Correct
The AWS Management Console does not support SSE-C. You must use the AWS CLI, SDK, or REST API to upload/download objects with SSE-C.
Mistake
Default encryption on a bucket encrypts existing objects.
Correct
Default encryption only applies to new objects uploaded after enabling it. Existing objects remain unencrypted (or encrypted with their original method).
Mistake
SSE-S3 and SSE-KMS use the same encryption algorithm.
Correct
Both use AES-256, but the key management differs. SSE-S3 uses S3-managed keys; SSE-KMS uses KMS keys (customer or AWS managed).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SSE-S3 uses S3-managed keys; it's free and simple but offers no audit. SSE-KMS uses AWS KMS keys; it provides auditing, fine-grained permissions, and envelope encryption but incurs per-request costs. SSE-C uses customer-provided keys; you supply the key with every request, and S3 does not store it. Choose based on your need for control, auditing, cost, and key management overhead.
Use a bucket policy with a condition that denies `s3:PutObject` if the `s3:x-amz-server-side-encryption` header is missing or not equal to the required value. For example, to require SSE-S3: `"Condition": {"StringNotEquals": {"s3:x-amz-server-side-encryption": "AES256"}}`. For SSE-KMS, use `"aws:kms"`. You can also require a specific KMS key by checking `s3:x-amz-server-side-encryption-aws-kms-key-id`.
No. Pre-signed URLs cannot include the encryption key headers because that would expose the key. If you need to grant temporary access to objects encrypted with SSE-C, you must use SSE-S3 or SSE-KMS instead, or use a different mechanism (e.g., provide the key out-of-band).
Yes. S3 Object Lambda can transform data for GET requests even when objects are encrypted with SSE-KMS. The transformation occurs after decryption. You need appropriate KMS permissions for the Lambda function.
If the KMS key is disabled, deleted, or its key policy revoked, you cannot decrypt objects encrypted with that key. AWS recommends enabling key rotation and using key policies that allow recovery. Deletion has a waiting period (7-30 days) during which you can cancel deletion.
You cannot change the encryption type in place. You must copy the object to itself (or a new location) with the desired encryption settings. Use the `aws s3 cp` command with `--sse` or `--sse-kms-key-id` flags. For SSE-C, you must provide the original key for decryption and a new key for encryption.
Yes, if the bucket has default encryption enabled, objects uploaded via pre-signed URLs are automatically encrypted with the default encryption method. However, the PUT request can override the default by specifying an encryption header.
You've just covered S3 Encryption: SSE-S3, SSE-KMS, SSE-C — now see how well it sticks with free DVA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?