- Newest
- Most votes
- Most comments
Sorry for the misunderstanding; I hope this can help.
SSE-S3 refers to the default encryption that Amazon S3 applies to all new object uploads using an automatically managed key. With SSE-S3, Amazon handles the encryption, key management, and key protection.
The AWS/s3 key refers to the default KMS key that is used for server-side encryption if a specific customer-managed key is not specified. Like SSE-S3, it uses a key managed by AWS KMS but gives you more control over access since it is associated with your AWS account.
Two "key" differences are:
-
SSE-S3 is fully managed by Amazon S3 while aws/s3 gives you control by associating the encryption with your AWS account.
-
Objects encrypted with the aws/s3 key can be accessed based on the IAM policies associated with your AWS account.
Hello,
The default S3 Key will be an encryption key managed by AWS. You do not see this type of key or even manage it in the console.
What I mean is if you select SSE-KMS you will see both the AWS managed key (aws/s3) and your customer-managed keys appear in that list when you are selecting a key.
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 3 years ago
Hmm, that makes sense to me but it does sound like the bottom line would be that as far as FIPS validation is concerned SSE-S3 and SSE-KMS using that aws/s3 key SHOULD run into the same issue since it is using that same key. But if you use SSE-KMS with a CMK then you would be able to comply with FIPS 140-2 validation for compliance purposes.
If FIPS compliance and being in control of your encryption key is important to you, then you should use SSE-KMS and CMK.