How do I Keep My Data Secure Using Amazon S3 Encryption?

Cloud storage services allow customers to store and retrieve files on a remote, third-party server. [1] Cloud storage aims to be more cost effective and scalable than on-premises storage. When developers and system administrators decide to use cloud storage services, they should ask themselves how files are kept confidential, both over the Internet as they travel to cloud storage and once they are stored.

Data in “transit” is defined as all data that is transferred between the client and server. Data in transit can be considered secure if cryptography is used to protect its confidentiality and integrity as it is sent over the Internet. [2] The Transport Layer Security (TLS) protocol is an industry-standard and turnkey way to ensure the integrity and confidentiality of the data in transit.

Data at “rest” is defined as all data that is stored or saved on a storage medium, such as a hard drive or solid-state disk. Data at rest can be secure if it is protected using strong encryption, where strong encryption is defined as encryption that cannot be attacked without performing computationally expensive tasks over an infeasible amount of time. [2] Encryption of information at rest is not as standardized as encryption of information in transit. It is important that cloud customers understand all of the problems and nuances that need to be addressed in ordered to successfully secure information at rest.

When employing encryption at rest, consider the following:

  1. What is the algorithm used to encrypt the data?
  2. How strong is the key that is used to encrypt the data?
  3. How often does the key get rotated?
  4. Where is the key stored?
  5. How is the key stored?
  6. Who has access to the key?

Implementations of cloud storage encryption at rest use different designs that present a trade-off between meeting the goals above in an ideal way versus ease of deployment, development, and management. Amazon Simple Storage Service (S3) offers two methods of encryption at rest: one designed to provide high security and fine-grained control over issues 1–6, and one designed to be easy to use. Both methods ultimately employ AES to encrypt data; the difference lies in where the encryption and decryption happens and who is responsible for generating and managing keys.

In client-side encryption, encryption and decryption occur locally within the AWS SDK. Developers can either use an auto-generated key, managed by Amazon through its AWS KMS Managed Customer Master Key, or they can use and manage their own keys. [3] Manual key management, while tedious, is the best option because it avoids sharing the encryption keys with Amazon. The downside of client-side encryption is that the client machine must have the AWS SDK installed in order to decrypt the content; in particular, pre-signed URLs cannot be used to transparently deliver S3 content to a web browser once client-side encryption is employed, as the AWS SDK is not present in a browser environment.

In server-side encryption, encryption and decryption occur on Amazon S3 servers. Server-side encryption can be deployed with three types of key management, which are (in increasing difficulty): [4]

  • Amazon S3-managed keys — Upon uploading a file, the client passes an extra HTTP header by simply requesting that the content be encrypted at rest. The content is automatically decrypted whenever it is downloaded; in fact, when downloading, the client does not even need to know whether the file was encrypted or not.
  • AWS KMS-managed keys - This is similar to S3-managed keys, but Amazon provides the customer with control over the master key used to protect per-file encryption keys.
  • Customer-provided keys - The client passes a file’s encryption key to the server with each request to upload or download it. The server uses the key to perform the encryption/decryption and then throws the key away.

The problem with using server-side encryption is that the users have to inherently trust Amazon with their keys, as they are sent to the server. By possessing the key, Amazon has the ability to view the information it is encrypting. If users want to keep their data confidential and out of the hands of any other entities—even Amazon—they will have to encrypt their data prior to uploading it to Amazon S3.

In summary, when users decide to use one of the encryption at rest features provided by Amazon S3, they need to be aware that Server Side Encryption means that they trusting Amazon with full access to the unencrypted data they are trying to protect from adversaries. If they rely on client-side encryption to prevent Amazon from having this ability, they must be sure to use and manage their own encryption/decryption keys.


  1. What is cloud computing?
  2. Regulations and Standards: Where Encryption Applies
  3. Protecting Data Using Client-Side Encryption
  4. Protecting Data Using Server-Side Encryption

Additional Information

Readers interested in further details about this topic can reach us at: