S3, IAM, CloudFront, Storage Gateway
Encryption in rest
SSE-S3
- encryption using keys handled & managed by S3
- object is encrypted server side
- AES-256 encryption type
- set header
"x-amz-server-side-encryption": "AES256"
SSE-KMS
- encryption using keys handled & managed by KMS
- KMS Advantages: user control + audit trail
- object is encrypted server side
- set header
"x-amz-server-side-encryption": "aws:kms"
SSE-C
- encryption using keys handled & managed by client