Server-side encryption is the encryption of data at its destination by the application orservice that receives it. Amazon S3 encrypts your data at the object level as it writes it todisks in AWS data centers and decrypts it for you when you access it. As long as youauthenticate your request and you have access permissions, there is no difference in theway you access encrypted or unencrypted objects. For example, if you share your objectsby using a presigned URL, that URL works the same way for both encrypted and unencryptedobjects. Additionally, when you list objects in your bucket, the list API operationsreturn a list of all objects, regardless of whether they are encrypted.

All Amazon S3 buckets have encryption configured by default, and all new objects that are uploaded to an S3 bucket are automatically encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) is the default encryption configuration for every bucket in Amazon S3. To use a different type of encryption, you can either specify the type of server-side encryption to use in your S3PUT requests, or you can update the default encryption configuration in the destination bucket.

If you want to specify a different encryption type in yourPUT requests, you can use server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS), dual-layer server-side encryption with AWS KMS keys (DSSE-KMS), or server-side encryption with customer-provided keys (SSE-C). If you want to set a different default encryption configuration in the destination bucket, you can use SSE-KMS or DSSE-KMS.

For more information about changing the default encryption configuration for your general purpose buckets, seeConfiguring default encryption.

When you change the default encryption configuration of your bucket to SSE-KMS, the encryption type of the existing Amazon S3 objects in the bucket is not changed. To change the encryption type of your pre-existing objects after updating the default encryption configuration to SSE-KMS, you can use Amazon S3 Batch Operations. You provide S3 Batch Operations with a list of objects, and Batch Operations calls the respective API operation. You can use theCopy objects action to copy existing objects, which writes them back to the same bucket as SSE-KMS encrypted objects. A single Batch Operations job can perform the specified operation on billions of objects. For more information, seePerforming object operations in bulk with Batch Operations and theAWS Storage Blog postHow to retroactively encrypt existing objects in Amazon S3 using S3 Inventory, Amazon Athena, and S3 Batch Operations.

If you need to encrypt your existing objects, use S3 Batch Operations and S3 Inventory. For moreinformation, see Encryptingobjects with Amazon S3 Batch Operations andPerforming object operations in bulk with Batch Operations.

When storing data in Amazon S3 you have four mutually exclusive options for server-side encryption, depending on how youchoose to manage the encryption keys and the number of encryption layers that you wantto apply.

Server-side encryption with Amazon S3 managed keys (SSE-S3)

All Amazon S3 buckets have encryption configured by default. The default option for server-sideencryption is with Amazon S3 managed keys (SSE-S3). Each object is encrypted with aunique key. As an additional safeguard, SSE-S3 encrypts the key itself with a rootkey that it regularly rotates. SSE-S3 uses one of the strongest block ciphersavailable, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data. Formore information, seeUsing server-side encryption with Amazon S3 managed keys(SSE-S3).

Server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS)

Server-side encryption with AWS KMS keys (SSE-KMS) is provided through an integration ofthe AWS KMS service with Amazon S3. With AWS KMS, you have more control over your keys. Forexample, you can view separate keys, edit control policies, and follow the keys inAWS CloudTrail. Additionally, you can create and manage customer managed keys or useAWS managed keys that are unique to you, your service, and your Region. For moreinformation, seeUsing server-side encryption with AWS KMS keys (SSE-KMS).

Dual-layer server-side encryption with AWS Key Management Service (AWS KMS) keys (DSSE-KMS)

Dual-layer server-side encryption with AWS KMS keys (DSSE-KMS) is similar to SSE-KMS,but DSSE-KMS applies two individual layers of object-level encryption instead of onelayer. Because both layers of encryption are applied to an object on the serverside, you can use a wide range of AWS services and tools to analyze data in S3while using an encryption method that can satisfy your compliance requirements. Formore information, seeUsing dual-layer server-side encryption with AWS KMS keys (DSSE-KMS).

Server-side encryption with customer-provided keys (SSE-C)

With server-side encryption with customer-provided keys (SSE-C), you manage the encryptionkeys, and Amazon S3 manages the encryption as it writes to disks and the decryption whenyou access your objects. For more information, seeUsing server-side encryption withcustomer-provided keys (SSE-C).

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of it.

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.