How to encrypt S3 (how it works)

S3 is
Encryption using KMS
S3's own encryption (server-side encryption)
S3 can be configured to use either of the following encryption methods


When using KMS for encryption

AWS KMS is a managed service for creating and managing encryption keys.

Managed service, but users must perform key creation and management on KMS.

In addition, if encryption is done using AWS KMS, the user must have permission to decrypt the AWS KMS key.



When using server-side encryption

Enabling server-side encryption will enable the

Amazon S3 encrypts objects before storing them on disk in the data center, and

The S3 side automatically decrypts the object when it is downloaded.


What about access logs?

When server-side encryption with encryption keys is enabled for an S3 bucket, the

Each access log file is automatically encrypted before being stored in the S3 bucket and decrypted upon access.

Logs are also automatically encrypted, so there is no need to set up a separate encryption for S3 buckets.


S3 encryption method

When activating S3 default encryption, you can choose either SSE-S3 orSSE-KMS encryption method.



  • Server-side encryption.
  • Encrypt data using 256-bit Advanced Encryption Standard (AES-256).
  • SSE-S3 automatically performs S3 encryption and decryption, but its disadvantage is that it does not provide an audit trail of usage.



  • No need to manage encryption keys
  • No additional charges
  • No need to consider API call restrictions



Server-side encryption with Customer Master Key (CMK) stored in KMS.

Additional charges apply.

SSE-KMS provides encryption key management functions as a managed service.

Track and log CMK users.

Activity trail logs can be obtained through CloudTrail, and SSE-KMS is used when a trail is required.


Create and manage customer-managed CMKs or use AWS managed CMKs specific to users, services, and regions.


Client Side Encryption (CSE)

An encryption method that requires the user to manage the encryption key.

A format in which users store encrypted objects in S3 using their own encryption keys, and the generation and supervision of encryption keys is performed by the client.




  • Encryption method where users create their own encryption key and import it to AWS side for use.
  • S3 manages encryption when writing to disk and decryption when accessing objects


Bucket policy (encryption of buckets)

After the bucket policy is evaluated and applied by Amazon S3, bucket encryption is applied.

Even if the bucket encryption setting is enabled, if there is a bucket policy that rejects PUT requests without encryption information, the corresponding PUT request will be rejected and the encrypted data registration to S3 will fail.


Default encryption will encrypt objects registered in the entire specified bucket. No range can be specified for default encryption within a bucket.


Failure to specify the encryption key for SSE-KMS will not activate the setting for encryption itself.


Encryption Articles