✅ Is SSE-S3 enabled by default?
Yes, as of January 2023, Amazon S3 automatically encrypts all new objects at rest using SSE-S3.
So if you simply upload files to an S3 bucket without specifying any encryption settings, SSE-S3 will be applied automatically, and each object will be encrypted with a unique key.
🔐 No additional configuration is required.
🔄 When should you use SSE-KMS instead of SSE-S3?
Use SSE-KMS (Server-Side Encryption with AWS Key Management Service) when you need:
- ### Tighter key control
- You want to control which IAM users or roles can use specific keys.
- You need different KMS keys (CMKs) for different types of data or applications.
- ### Auditability
- You want detailed CloudTrail logs showing each time your key is used to encrypt or decrypt data.
- ### Separation of duties / compliance
- You have regulatory or internal policies requiring centralized key management.
- You want to rotate keys yourself or define key policies.
- ### Custom key policies
- You need to allow only specific services or users to use certain keys.
- You want to implement fine-grained access control on the encryption keys.
- ### Multi-region or multi-account key sharing
- You want to share encrypted data across AWS accounts or regions using KMS keys with specific policies.
💡 Summary Table:
| Feature | SSE-S3 | SSE-KMS |
|---|---|---|
| Automatically enabled? | ✅ Yes (as of Jan 2023) | ❌ No — must be specified per object |
| Unique key per object? | ✅ Yes | ✅ Yes (data key per object, CMK reused) |
| Central key management (KMS)? | ❌ No | ✅ Yes |
| Fine-grained access control? | ❌ No | ✅ Yes |
| CloudTrail audit logs for key usage? | ❌ No | ✅ Yes |
| Per-request KMS charge? | ❌ No | ✅ Yes |
| Best for | Simple, secure storage | Compliance-heavy, high-control use cases |
✅ Use SSE-S3 when:
- You want strong encryption with minimal setup or cost.
- You don’t need detailed audit logs or strict key control.
✅ Use SSE-KMS when:
- You need auditability, access control, or compliance features.
"Configure a single Amazon S3 bucket to hold all data. Use server-side encryption with Amazon S3 managed keys (SSE-S3) to encrypt the data."
Here's why this is the correct approach:
✅ SSE-S3 Automatically Uses a Unique Key per Object
When you use Server-Side Encryption with Amazon S3 managed keys (SSE-S3):
- Each object is automatically encrypted with a unique key, generated by Amazon.
- These unique keys are themselves encrypted with a master key that Amazon rotates regularly.
- No need to manually split the data or manage encryption keys individually.
- This provides strong security with minimal operational overhead.
This directly satisfies the requirement:
"...a technique to encrypt each file with a different encryption key to provide maximum security to the migrated on-premises data."
— and does so without requiring extra complexity.
While it is technically possible to use SSE-KMS with a unique encryption context per object, there are several reasons why it’s not the preferred choice for this scenario:
❌ KMS does not generate a new KMS key per object
- When you use SSE-KMS, the same KMS key (CMK) is typically used to encrypt the data keys for each object.
- While encryption contexts help enforce fine-grained access control, they do not result in a different CMK or fundamentally different keys per object.
Summary:
| Feature | SSE-S3 ✅ | SSE-KMS ❌ |
|---|---|---|
| Different key per object | ✅ Yes | ❌ Same CMK, different data key |
| Simplicity and low overhead | ✅ Very simple | ❌ More complex, manage encryption context |
| Cost effectiveness | ✅ No extra cost per object | ❌ Per-request KMS charges |
| Fits the use case | ✅ Perfectly | ❌ Overengineered for the need |
Top comments (0)