When to Use Amazon S3 Server Side Encryption

By Rich

This week Amazon announced that S3 now supports server side encryption. You can encrypt S3 items through either the API or web management console, or you can require encryption for S3 buckets. A few details:

  1. They manage the keys. This is full transparent AES-256 encryption, and you only manage the access controls.
  2. Encryption is at the object level, not the bucket level. You can set a policy to require any uploads into a bucket to be encrypted.
  3. You can manage it via API or the AWS Management Console.

It’s interesting, but from a security perspective only protects you from one thing – hard drives lost or stolen from Amazon.

Going back to my Three Laws of Data Encryption, you would use this if you are worried about lost/stolen drives or if someone says you have to encrypt. It doesn’t protect from hacking attacks or anything like that. Client-side encryption is more important for improving security.

This isn’t really much of a security play, but it’s a big assurance/compliance play. Since I like bullet lists and clear advice, you should use S3 server side encryption:

  1. If you are required to encrypt data at rest, and said requirement does not also require you to segregate keys from Amazon.
  2. You want to market that you are encrypting the data, but still don’t have a requirement to lock out Amazon.

That’s about it. If you are worried about drive loss/theft it’s probably due to a compliance or disclosure requirement, and so I recommend client side encryption instead, for its greater security benefit.

This is a checkbox. Sometimes you need them, but if security is that important you have other options which should be higher priority.

No Related Posts

Rich, I think you missed a quite useful and important use case. If you are an ISV using AWS as your PaaS provider S3 encryption of your customer’s data transfers key management risk from your organization to Amazon. If your customers are already trusting AWS then this is a good option.  In fact, in that scenario client-side encryption may not even be possible.

Also, you are assuming that AWS internal security isn’t compartmentalized and thus having AWS encrypt your data and giving them key management does not improve security over giving them plain data but that is not necessarily the case.

By ivan

Great post Rich,
in addition to client-side encryption, there is at least another viable option: The Porticor S3 encryption + key management approach allows end users to manage their keys in the public cloud while keeping them secured and invisible from the cloud provider or anyone else for that matter. The concept is often allude to as the “Swiss banker approach” and it is explained in details on the following white paper:

Best regards,

By Ariel Dan

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.