Introduction
When you need to securely upload or download your objects to the Amazon S3 bucket, you can use the HTTPS protocol via the SSL encrypted endpoints. In addition, Amazon S3 can automatically encrypt your data before saving it on disks in its data centers in a region and decrypt your data when you download it using server-side encryption (SSE) or use client libraries to encrypt your data before sending it to Amazon S3 using client-side encryption.
There is no difference in how you access encrypted or unencrypted data between server-side and client-side encryption, but there are different options for the encryption key between them. The following figure shows the process of how to encrypt data using server-side and client encryption.
Server-side encryption provides three options to manage the encryption key:
SSE with Amazon S3 key management (SSE-S3)
SSE with AWS KMS (SSE-KMS)
SSE with Customer-Provided keys (SSE-C)
Client-side encryption provides two options to manage encryption keys...
