AWSGlossary

Amazon S3 Encryption: What It Is and When to Use It

Definition

Amazon S3 Encryption refers to the family of mechanisms S3 uses to keep your data unreadable to anyone without the right key. S3 always encrypts data at rest (this has been the default for all new uploads since January 2023), but you choose which key system manages the encryption keys and where encryption happens. The four server-side options are SSE-S3, SSE-KMS, SSE-C, and DSSE-KMS, plus a client-side option where you encrypt before upload. Choosing the right mode affects cost, auditability, cross-account access, and regulatory posture — it is one of the most commonly misconfigured areas of S3 and one of the most frequently tested on AWS exams.

How It Works

All four server-side options use AES-256 symmetric encryption; they differ only in who manages the key:

  • SSE-S3 — S3 generates, manages, and rotates the data encryption key (DEK) for you. The key never leaves AWS, and you cannot audit individual uses. This is the default for new buckets since 2023.
  • SSE-KMS — the DEK is wrapped by an AWS KMS key (formerly CMK). Every PUT and GET produces a KMS GenerateDataKey / Decrypt API call, which is logged in CloudTrail and billed at KMS rates ($0.03 per 10,000 calls). KMS keys can be AWS-managed (aws/s3) or customer-managed (your own CMK with your own key policy).
  • SSE-C — you supply the encryption key with every request (in a header). S3 encrypts/decrypts on your behalf but discards the key immediately; you are responsible for key management.
  • DSSE-KMS (Dual-Layer SSE) — applies two independent layers of server-side encryption, one with KMS and one with S3's internal key. Designed for workloads needing dual-layer / FIPS-like controls, and required by some US government compliance frameworks.
  • Client-side encryption (CSE) — you encrypt the object before upload using the AWS Encryption SDK or a custom scheme. S3 sees only ciphertext. Combined with KMS or externally managed keys for data-at-rest-and-in-motion protection.

All methods can be combined with TLS for encryption in transit, enforced via bucket policies that deny requests lacking aws:SecureTransport = true.

Key Features and Limits

  • Default bucket encryption — every new bucket since Jan 2023 defaults to SSE-S3. You can change the default to SSE-KMS or DSSE-KMS at any time; subsequent writes pick up the new default if not overridden by the request.
  • S3 Bucket Keys — when enabled, S3 caches a bucket-level KMS data key, reducing KMS API calls (and therefore KMS cost) by up to 99% for SSE-KMS. Highly recommended for busy buckets.
  • Override per request — clients can specify x-amz-server-side-encryption headers to pick a method per object, overriding the bucket default.
  • Require specific encryption — bucket policies can deny PUT requests that do not set a specific header (e.g., deny if s3:x-amz-server-side-encryption != aws:kms).
  • Cross-account — SSE-KMS with a customer-managed key (CMK) lets you grant cross-account decrypt rights via the key policy.
  • SSE-C requirements — requests must be sent over HTTPS; S3 does not log or store the key you supply.
  • Compliance — DSSE-KMS meets CNSA 2.0 and NSA "two independent layers" guidance.

Common Use Cases

  1. Default protection — SSE-S3 for general-purpose buckets without per-object audit needs.
  2. Audited, regulated data — SSE-KMS with a customer-managed CMK for CloudTrail visibility into every decrypt.
  3. Cross-account sharing — SSE-KMS with a CMK whose key policy grants kms:Decrypt to other accounts.
  4. Dual-layer encryption — DSSE-KMS for US government classifications and CNSA 2.0 frameworks.
  5. Customer-owned keys (BYOK) — SSE-C for organizations that must retain keys off-AWS.
  6. End-to-end encryption — client-side encryption via the AWS Encryption SDK + KMS.

Pricing Model

  • SSE-S3 — free (no additional charge beyond normal S3 storage and request fees).
  • SSE-KMS — KMS usage fees: $1/month per customer-managed key, $0.03 per 10,000 GenerateDataKey / Decrypt requests. With Bucket Keys enabled, KMS request volume drops ~99%, typically reducing SSE-KMS overhead to cents per month.
  • SSE-C — free aside from normal S3 fees.
  • DSSE-KMS — KMS fees plus a small additional S3 storage and request charge to cover the second encryption layer.
  • Client-side encryption — no S3 surcharge; you pay for KMS calls in your client.

Cost pitfall: a heavy SSE-KMS bucket without Bucket Keys can generate millions of KMS calls per day, costing more than the underlying S3 storage. Enabling Bucket Keys is usually a one-click fix.

Pros and Cons

Pros

  • AES-256 encryption at rest is automatic — you cannot accidentally store unencrypted objects since 2023.
  • SSE-KMS offers fine-grained per-request audit and access control.
  • Bucket Keys make KMS affordable at scale.
  • Cross-account and cross-Region encryption scenarios are well-supported.
  • DSSE-KMS addresses the strictest regulatory postures with a single checkbox.

Cons

  • SSE-KMS adds per-request cost and a KMS throttle (default 5,500–30,000 requests/sec depending on key type and Region).
  • SSE-C key management is 100% your responsibility — losing the key means losing the data.
  • DSSE-KMS storage and request costs are higher.
  • Mixing encryption modes inside one bucket makes access policies harder to reason about.
  • Client-side encryption adds application complexity; debugging mismatched keys is painful.

Comparison with Alternatives

| Mode | Key Owner | Audit per Object | Cost | Typical Use | | --- | --- | --- | --- | --- | | SSE-S3 | AWS (S3) | No | Free | Default for general buckets | | SSE-KMS (AWS-managed) | AWS (aws/s3) | Yes (CloudTrail) | Per-request | Audited workloads, single account | | SSE-KMS (Customer-managed CMK) | You | Yes (CloudTrail) | Per-request + $1/key/month | Cross-account, fine-grained access | | DSSE-KMS | You + AWS | Yes (CloudTrail) | Higher | Government / CNSA 2.0 | | SSE-C | You (you send the key) | No | Free | BYOK, off-AWS key store | | Client-side | You | N/A (S3 sees ciphertext) | Free + client KMS | End-to-end, zero-trust vs AWS |

Exam Relevance

  • Solutions Architect Associate (SAA-C03) — pick the right encryption mode for a given compliance or cross-account requirement. SSE-KMS with a customer-managed key is the go-to for "cross-account + audit" scenarios. Remember default encryption since 2023.
  • Developer Associate (DVA-C02) — request-level headers (x-amz-server-side-encryption, x-amz-server-side-encryption-aws-kms-key-id), KMS key policy wiring, Bucket Keys.
  • Security Specialty (SCS-C02) — DSSE-KMS vs SSE-KMS, KMS grants, cross-account KMS access patterns, enforcing TLS via bucket policy, VPC endpoints with resource policies.

Classic exam trap: a question says "decrypt operations are costing too much" — the answer is almost always enable S3 Bucket Keys. Another: "cross-account access with audit" — the answer is SSE-KMS with a customer-managed CMK, not SSE-S3.

Frequently Asked Questions

Q: What is the difference between SSE-S3 and SSE-KMS?

A: Both use AES-256 and both store ciphertext in S3, but SSE-S3 uses keys fully managed by S3 (invisible to you, no audit trail, free), while SSE-KMS uses a KMS key you can audit and control via key policies. SSE-KMS adds per-request KMS charges and enables fine-grained access control — essential for regulated and cross-account workloads. Enable S3 Bucket Keys to cut SSE-KMS request costs by up to 99%.

Q: When should I use SSE-C instead of SSE-KMS?

A: Use SSE-C only when you must keep encryption keys completely outside AWS — for example, keys held in an on-premises HSM or a third-party KMS that cannot federate with AWS KMS. SSE-C requires you to send the key in every request, gives you no audit, and puts full key-loss risk on you. For most workloads, SSE-KMS with a customer-managed key is the better choice.

Q: Do I still need to enable encryption on new S3 buckets?

A: Since January 2023, Amazon S3 applies SSE-S3 encryption by default to every new object in every bucket. You do not need to do anything to get at-rest encryption. You may still want to change the default to SSE-KMS (for audit and cross-account control) or DSSE-KMS (for regulatory dual-layer requirements), and you should enforce TLS in transit via a bucket policy that denies aws:SecureTransport = false.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official S3 encryption documentation before making production decisions.

Published: 4/17/2026 / Updated: 4/17/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Storage

S3 vs EFS: Object Storage or Shared File System? (2026 Comparison)

Amazon S3 vs EFS compared: object storage API vs NFS file system, durability, pricing per GB, when to pick each, and how Lambda, EC2, and ECS access them.

S3 Select: Query Data in S3 Objects with SQL

Amazon S3 Select lets you retrieve data subsets from S3 objects using SQL. Improve performance and cut costs by querying data directly. Learn when to use it.

S3 Access Points: Simplify Data Access at Scale

Amazon S3 Access Points offer unique network endpoints with dedicated policies to manage data access for shared datasets. Learn how they simplify complex bucket policies. See use cases.

AWS DataSync: Accelerate Data Transfer to AWS

AWS DataSync is a secure, online data transfer service that simplifies and automates moving large amounts of data to AWS Storage. Learn how it works and when to use it.

AWS Snowmobile: Exabyte-Scale Data Transfer Explained

AWS Snowmobile was an exabyte-scale data transfer service for moving massive data. Learn its historical use cases and alternatives.

View all Storage terms →